Date: 30.03.2011, thanks, we got it: [espeak -v en "] Secure, mouseclick-fast upon MS Windows 7 and Linux and all belonging Linux-games: (bohemian) 19 W power consumpting computer ASUS (mini) ITX-220 from year 2009/2010 with a socked, crasfree bios, onboard Intel-soundchip, onboard Atheros-LAN-Chip and -ROM and onboard INTEL graphics, AOC WLED-TFT less 18 Watt with more than one million working hours, all for about 200 €. Looking upon technical revisions and software-rpm-packet-changelogs one notices, the world gave its best: 2010 - (quit) everything has been made for computers - magic year of fast, ergonomic, powersaving hardware, year of Mandriva 2010, year of CentOS 6 ( DVD CentOS 6 (actual tenth-revision, with many updates and patches by Jonny Hughes, NY) for 4,95 € or for free out of the internet ) and the for the more than 50.000 next ten years (until year 2026) fixed and patched packet-versions of Fedora Project resp. the in a careful way resulting and ( Fedora Core (fc) - ) backported Enterprise Linux (el) resp. CentOS 6, where its IT-security raised up quit to maxium by concept with methods, configurations and updates we want to present here on this webside, so that computer-technique got solved (after a long, long time ...): error-free (total: since python-stablity-patch from year 2016), free from trojans, hacker, viruses, spyware, adware, everything. Day after day the amount of still missing software declined and you still have to keep the computer up to date sometimes by installing some updates. Up to that year, the paid prices for different Linux distributions can exceed even those of other operating systems. But now you won´t have any difficulties. Text to the illustration from the top, Build your final

"UNIVERSAL COMPUTER with UNIVERSAL-LINUX"

consisting of up to 100 DVD a 4,4 GB full of rpm- and deb-packages (Debian) and many Tarballs from anywhere ON THE DAILY UPDATE-PATCH-CHANNEL (fc, el6/sl6) http://www.pro-linux.de/sicherheit/1/1/1.html) and belonging more Packages from pkgs.org, fr2.rpmfind.net and pbone.net. All kind of Linux-games run fine too.

Similar to Scientific Linux, "CentOS" stands for "Community Enterprise Operating System". It is based to 100% upon the source code of Red Hat Enterprise Linux. The only difference is, that commercial support is missing. Typical CentOS-user are organizations and private people aiming for a stable Enterprise-operating-system without the need of commercial support. The stable versions of CentOS are supported with (RPM-) acutualizations for ten years.
CentOS is a Linux-Distribution from Red Hat with the same source code like Red Hat Enterprise Linux. Since January 2014 CentOS belongs to Red Hat as a costly free alternative to Red Hat Enterprise Linux for all those, that do not need commercial support for Red Hat Enterprise Linux. Even no one guarantees, CentOS in fact is almost compatible with Red Hat Enterprise Linux.
https://www.pro-linux.de/news/1/27054/centos-8-benötigt-noch-etwas-zeit.html

What we are going to describe in the following:

No hacker, no virusses, no trojans, no malware, no ad- and no spyware, no ransomware, no dangerous scripts, rare resp. no left traces in the net, ..., nothing of it, and no kernel up from 2.6.39 (if stable) and not much root owned processes, that can affect the computer system anymore: use

• command dd for secure working with the partitionwise restores and backups started from an encrypted rescue partition, usb-memory-stick or DVD like Knoppix together with cryptsetup (LUKS) installed,
• ipables-based firewall linfw3,
• port scan detection (psad, psd),
• intrusion detection sysems (IDS)
• the local dns-cache dnsmasq
• and adblocker like our listing importing konqueror-adblocker and free useragent-settings and other extensions for your browser together with
• sandbox firejail (pclos),
• configure /etc/fstab for the declaration of the partitions and file systems, in our case ext4 under security aspects,
• configure /etc/passwd for the blocking shells,
• set owner- and access-rights,
• ACL (setfacl/getfacl),
• use MAC (apparmor, tomoyo) and
• chattr upon UNIX/Linux-filesystems and follow the
• configurations and methods introduced here on this webside to make security really possible! Profit from
• end-to-end-encrypting TLS/SSL used by browser like Konqueror, Firefox, Firefox ESR resp. Tor-Browser (Firefox ESR) and
• pgp/gpg- and TLS-based e-mail-clients like Thunderbird and/or Kmail, claws-mail with claws-mail-plugins, ...
• all this upon a Luks/dm-crypt and dracut full encrypted computer-system (FSE), going sure also with a read-only set (and by dracut LUKS-encrypted) root-partition.

HOWTO: Either you install the version of an actual (new) Linux-distribution after the expiration of the updates for your installed one, we recommend Debian Linux resp. Ubuntu, SuSE Linux, Fedora, the in a careful way from Fedora resulting and backported CentOS (resp. RedHat), Rosa and Openmandriva, PCWelt: Ubuntu and Mint, or you install the covering and approved (and many, many TOP-games on the base of OpenGL and SDL including) el6, mdv2010.0 resp. mdv2011, mga1 up to mga3 or any rpm-distribution of the last decades from fr2.rpmfind.net and care for its updates. For mdv2010.0 you think of updating with the secure running autumn- and spring- updatening version mdv2010.1 and mdv2010.2 to mdv2010.2 (65 GB, around 15 DVD).

How does this work? It´s easy (or it sound so): All you need for the next time in principle is "any" Linux-distribution from DVD/CD, USB-memory-stick or per download out of the internet etc., one that is named by PRO-Linux (http://www.pro-linux.de/1/1/sicherheit.html) withiin the hugh update-listing of the last ten, twenty years. Install this distribution following the self activating installation instructions onto an installation media (we recommend an at least 120 GB Solid State Disk (SSD with an at least 65 GB sized main- resp. root-partition and at least 2 GB SWAP-partition)) and eventually more single programms resp. packages with the help of an as much expressive packagemanger as possible. We recommend Debian Linux or a ( Fedora Core - ) backported and long-update-support guaranteeing Linux-Distribution (like RedHat resp. CentOS and Scientific Linux el6 and el7). Regardless from the amount of software resp. packages, this Linux-Distribution can be considered as a gear to the big UNIX/Linux- and its emulation-world of even more, we recommend actual UNIX-/Linux-distributions, actual updates and all kind of software and games. Emulation means, that with the help of emulators (like Wine for MS Windows) and virtual machines like Xen and Qemu software running upon other operating systems can be used too. Notice, that it is possible to install all software on the installation media at once without risking too much. The important thing is, that it is possisble to upgrade the Standard-GNU-C-library (glibc) of this distribution, so that the kernel of the LONGTERM-series out of kernel-3 and -4 can be upgraded too..

A securing 1:1 partioned media should not miss! Perform all security methods introduced in future point by point as soon as possible, as the installation is endangered extremely (by hacker and so on) with the very first built-up connection to the net!

quot;There is not much diffrence between the Linux-Distributions / Der Unterschied zwischen den Linux-Distributionen ist nicht sehr groß mit Ausnahme der Basisinstallation und der Paketverwaltung. Die meisten Distributionen beinhalten zum Großteil die gleichen Anwendungen. Der Hauptunterschied besteht in den Versionen dieser Programme, die mit der stabilen Veröffentlichung der Distribution ausgeliefert werden. Zum Beispiel sind der Kernel, Bind, Apache, OpenSSH, Xorg, gcc, zlib, etc. in allen Linux-Distributionen vorhanden."
https://www.debian.org/doc/manuals/securing-debian-howto/ch12.de.html

Right up from the very beginning - installing an OS like UNIX/Linux

... most already through installation media:

format -" partitioning -> format -> encryption (full system encryption, FSE) -> format -> installation (from extern media) -> configuration -> defragmentation (not essential for many UNIX/Linux file systems) -> encryption (full system encryption, FSE) -> (backup with dd and) actualization -> configuration -> (backup with dd and) actualization ( ... notice total time needed: ? )

Alternatively: Some nice "guy" or so does many things for you by mirroring almost completed system from his onto your own media (SSD (sdx), harddisc (S-ATA: sdx, IDE: hdx, CD-/DVD, USB-memory stick, ...). This can save plenty of time (look out for the right processor architecture (x86_64, i686, ...) and set /etc/X11/xorg.conf for the next time to vesa or fb)! Do this mirroring with a command like: "dd if=/dev/sda of=/dev/sdb"

Used editor in the following: nano

First this webside introduces some configurations, followed by actualization, partitioning, encryption during the introduction of basic shell-commands.

Mounting partitions the right way
When mounting an Ext file system (ext2, ext3 or ext4), there are several additional options you can apply to the mount call or to /etc/fstab. For instance, this is my fstab entry for the /tmp partition:

/dev/hda7 /tmp ext2 defaults,nosuid,noexec,nodev 0 2

You see the difference in the options sections. The option nosuid ignores the setuid and setgid bits completely, while noexec forbids execution of any program on that mount point, and nodev ignores device files. This sounds great, but it:

only applies to ext2 or ext3 file systems

can be circumvented easily

The noexec option prevents binaries from being executed directly, but was easily circumvented in earlier versions of the kernel:

alex@joker:/tmp# mount | grep tmp
/dev/hda7 on /tmp type ext2 (rw,noexec,nosuid,nodev)
alex@joker:/tmp# ./date
bash: ./date: Permission denied
alex@joker:/tmp# /lib/ld-linux.so.2 ./date
Sun Dec 3 17:49:23 CET 2000

Newer versions of the kernel do however handle the noexec flag properly:

angrist:/tmp# mount | grep /tmp
/dev/hda3 on /tmp type ext3 (rw,noexec,nosuid,nodev)
angrist:/tmp# ./date
bash: ./tmp: Permission denied
angrist:/tmp# /lib/ld-linux.so.2 ./date
./date: error while loading shared libraries: ./date: failed to map segment
from shared object: Operation not permitted

However, many script kiddies have exploits which try to create and execute files in /tmp. If they do not have a clue, they will fall into this pit. In other words, a user cannot be tricked into executing a trojanized binary in /tmp e.g. when /tmp is accidentally added into the local PATH.

Also be forewarned, some script might depend on /tmp being executable. Most notably, Debconf has (had?) some issues regarding this, for more information see Bug 116448.

The following is a more thorough example. A note, though: /var could be set noexec, but some software [21] keeps its programs under in /var. The same applies to the nosuid option.

/dev/sda6 /usr ext3 defaults,ro,nodev 0 2
/dev/sda12 /usr/share ext3 defaults,ro,nodev,nosuid 0 2
/dev/sda7 /var ext3 defaults,nodev,usrquota,grpquota 0 2
/dev/sda8 /tmp ext3 defaults,nodev,nosuid,noexec,usrquota,grpquota 0 2
/dev/sda9 /var/tmp ext3 defaults,nodev,nosuid,noexec,usrquota,grpquota 0 2
/dev/sda10 /var/log ext3 defaults,nodev,nosuid,noexec 0 2
/dev/sda11 /var/account ext3 defaults,nodev,nosuid,noexec 0 2
/dev/sda13 /home ext3 rw,nosuid,nodev,exec,auto,nouser,async,usrquota,grpquota 0 2
/dev/fd0 /mnt/fd0 ext3 defaults,users,nodev,nosuid,noexec 0 0
/dev/fd0 /mnt/floppy vfat defaults,users,nodev,nosuid,noexec 0 0
/dev/hda /mnt/cdrom iso9660 ro,users,nodev,nosuid,noexec 0 0
https://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html

Postfix - shorten information


/etc/postifx/main.cf

smtpd_banner = DOLLARSIGNmyhostname ESMTP DOLLARSIGNmail_name (FreeBSD/GNU)

... that means without version number and eventually with a new operating system name.
https://www.debian.org/doc/manuals/securing-debian-howto/ch12.de.html

dbus (messagebus): Secure up single service-files
dbus of many versions does make mistakes from time to time, by removing single service-files out of /usr/share/dbus-1/services and /usr/share/dbus-1/system-services from time to time without being allowed.
Therefore all service-files should be backuped in any backup-directory.

Exchange "Exec=kded" into "Exec=kded4"
nano /usr/share/dbus-1/services/org.kde.kded.service
[D-BUS Service]
Name=org.kde.kded
Exec=/usr/bin/kded4

Just update by the kernel-binary (kernel-...rpm) or configure, patch and compile the kernel-source (kernel-...rpm.src)
We assume, that any rpm-based Linux-Distribution is already installed on a storage media like harddisc. Our section for updates refers to RedHat, CentOS oder Scientific Linux, Fedora Core, PCLinuxOS, ROSA, Mageia oder Mandriva.
How to configure, patch and compile kernel-sources: Download and install all binary rpm required for the kernel. Then download, install or enpack the kernel-source-rpm into /usr/src either by "tar -xvjf kernel-source-package", rpm on the kernel-source-rpm or file-roller. A new directory named "linux-kernelversion-xxx" or "kernel-source-xxx" is created within /usr/src.
Link this new directory to a linking file named linux: "ln -sf linux-xxx linux" resp. "ln -sf kernel-source-xxx linux".
Change into this directory linux resp. linux-xxx resp. kernel-source-xxxx and call "menu oldconfig".. A file .config is created to configure the kernel.
Type "menu xconfig" or "menu gconfig" or "make menuconfig" and configure the kernel-drivers and so on needed (CC), needed as modules (CC MM) and such to resign from.
For FSE (full system encryption) by dracut, two options have to be enabled, what is already done in kernel (pclos, rosa2016.1, el8, el7) and kernel-desktop (mdv2011) but not kernel (el6):

Generally, the security level of software is not only presented by stability, but also by the freeness of errors and warnings during the compilation of their source codes listed by the compiler. Kernel-2.6.32 (el6) consists of many of them and some of them are caused by kmem.h, while the quit restless error-free (only a few small patches 2012-2016 inclusive dirty-cow are known!) kernel-2.6.39.4-5.1 (mdv2011) runs error-free on our system without any warnings during the compilation time of around four hours! This is the best sign for good and secure running code. The only thing remaining is to patch with the dirty-cow-patch in mm.h and memory.c.

http://repository.timesys.com/buildsources/k/kernel/kernel-2.6.39/

Kernel: We recommend kernel 4 (we chose 4.20.13 (pclos) with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (el6: Version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: Version 008)) and glibc (pclos)), but do describe 2.6.39.4-5 now (also running on some playstations and so on) patched up to date by sources (containing the dirty-cow-patch in main), consisting of less compilation warning and no errors than 2.6.32 (el6). This mdv-kernel is described from patch-sources like http://repository.timesys.com/buildsources/k/kernel/kernel-2.6.39/, kernel itself from http://fr2.rpmfind.net/linux/kernel/v2.6/linux-2.6.39.4.tar.xz: kernel-desktop (mdv2011): glibc (pclos, mga6), module-init-tools (we recommend mdv2011, but you can also use el6, up to 3.16; append ".conf" to all files in /etc/modules.d; module-init-tools (mdv2011) never makes trouble with it), coreutils (el6), initscripts (mdv2011, pclos and el6 as depecited below), util-linux (mdv2011 or el6 except /bin/mount, /bin/mount and /lib64/libmount* you have to delete after enpacking the rpm (not installing!) and copying its include), kernel-firmware (pclos, slack14.2 with more than 250 MB unpacked, mga6, el6), if you want plus kernel-firmware (OpenSuSE 42.1, 32 MB) plus kernel-firmware (OpenSuSE 13.2) plus linux-firmware (fc27, 35 MB) plus kernel-firmware-extra (pclos, rosa2014.1), kernel-headers (el6), kernel-doc (el6), ksymoops (OpenSuSE 12.2, mdv2011), coreutils (el6), coreutils-libs (el6), binutils (fc25, el6), nss (el7, el6, fc30), nss-softokn (el7, el6, fc30), nss-sysinit (el7, el6, fc30) und nss-softokn-freebl (el7, el6, fc30), nss-util (el7, el6, fc30), nss-tools (el7, el6, fc30) .

All patches for 2.6.39.4-5.1 until now are available in the internet from http://repository.timesys.com/buildsources/k/kernel/kernel-2.6.39/.
compiler-gcc5, add-timesys-bootlogo, dirty-cow, lantronix-ts1, no-setlocalversion, no-unused-but-set-variable, revert-nfsroot, timeconst.pl-eliminate-perl-warning, ltrx-image-rom and yaffs2.

Patch: patch (el6, fc27, mdv2010.1) has to be installed. Then type "patch -p1 < ../patchname.patch "

But at first do the following:

Actual Kernel: how to install a patched kernel-source: A lot of freed partition (memory) is required, maybe plenty of Gigabyte. Download and install all binary rpm required for the kernel. Then download and enpack the kernel-source-rpm into /usr/src either by "tar -xvjf kernel-source-package" or file-roller.

Two possibilites:
1) building a kernel-rpm out of the sources after applying the patches: Configure the spec-file of the installed source-rpm by adding or commenting in and out the patches to build a new binary kernel-rpm to install or update: https://www.howtoforge.de/anleitung/wie-man-einen-kernel-kompiliert-auf-fedora/. For CentOS and mdv depending on the package manager use command "rpm -ba" instead of "rpmbuild -ba" kernel-xxx.spec to create the binary..
2) Configure the sources and compile them:
A new directory named "linux-kernelversion" or "kernel-source-kernelversion" is created within /usr/src.
Link this new directory to a linking file named linux: "ln -sf linux-kernelversion linux" resp. "ln -sf kernel-source-kernelversion linux".
Change into this directory linux resp. linux-kernelversion resp. kernel-source-xxxx and call "menu oldconfig". A file .config is created to configure the kernel. Copy .config to include/config/auto.conf

If you do not know, what to enable or not, choose MM
(M) or (CC) to load as a module wherever possible,
(A) or (CC MM) auto-load the module or
(-): resign from the module.

Example (module extraction of kernel-2.6.39-40.src.rpm)


General Preparation of Linux, kernel-2.6.39-40.src.rpm

In order to take a firewall in use, kernel support for iptables and modules should be enabled.
Open a konsole and enter one of the statements
make menuconfig for the Dialog-GUI,
male xconfig for tk-GUI or
make gconfig with GTK or
make config


Choose kernel options within

Networking options --->
[*] Network packet filtering (replaces ipchains)
IP: Netfilter Configuration --->
.
(M) Userspace queueing via NETLINK (EXPERIMENTAL)
(M) IP tables support (required for filtering/masq/NAT)
(M) limit match support
(M) MAC address match support
(M) netfilter MARK match support
(M) Multiple port match support

(M) TOS match support
(M) Connection state match support
(M) Unclean match support (EXPERIMENTAL)
(M) Owner match support (EXPERIMENTAL)
(M) Packet filtering
(M) REJECT target support
(M) MIRROR target support (EXPERIMENTAL)
.
(M) Packet mangling
(M) TOS target support
(M) MARK target support
(M) LOG target support
(M) ipchains (2.2-style) support
(M) ipfwadm (2.0-style) support

think of other options (modules), store this configuration.

Before iptables can be used, the kernel module netfilter for the support of iptables has to be loaded e.g. by the statement modprobe:
# modprobe ip_tables

kernel-firmware (binary blobs within /lib/firmware, rpm kernel-firmware (around 250 MB) and/or kernel-firmware-extra ):

For kernels before 4.18:
KERNEL Enable support for Linux firmware

Device Drivers --->
Generic Driver Options --->
-*- Userspace firmware loading support
[*] Include in-kernel firmware blobs in kernel binary
(/lib/firmware) Firmware blobs root directory

For kernels beginning with 4.18:
KERNEL Enable support for Linux firmware

Device Drivers --->
Generic Driver Options --->
Firmware loader --->
-*- Firmware loading facility
() Build named firmware blobs into the kernel binary
(/lib/firmware) Firmware blobs root directory

Type "make dep && make clean && make mrproper" .

Type "menu xconfig" or "menu gconfig" or "make menuconfig" and configure the kernel-drivers and so on needed (CC), needed as modules (CC MM) and such to resign from, or for a pregiven configuration type "make oldconfig".

For FSE (full system encryption) by dracut, two options have to be enabled, what is already done in kernel-desktop (mdv2011) but not kernel (el6):
within the first item "General Setup"enable "Initial-RAM-filesystem and RAM-disk-support"and in "general drivers" enable the option "Maintain a devtmpfs at /dev/ with subitem "automount devtmpfs at /dev, after the kernel mounted the rootfs".
If you do not know, what to enable or not, choose MM to load as a module wherever possible.
Save the new .config.
Set the Kernel-Version at the top of the makefile.
Three possibilites, after the patching of the source-code like the dirty-cow-patch:
patch -p1 < ../any_patch.patch
apply all other patches in this way
make -i rpm (to create the binary kernel-rpm package, what endures on our system for around four hours)
make all # or
make dep (dependency properties to establish the relationship)
make clean (to remove the old data)
make bzImage (to create its core vmlinuz for /boot only after renaming the created file bzImage: time needed: around 30 minutes) or
make bzImage &,& make modules && make modules_install for the installation of the kernel-modules too.
Copy the bzImage to /boot, rename it to vmlinuz-kernelversion.
Use mkinitrd resp. in the case of FSE (Full Disk Encryption resp. encrypted root-partition) dracut to create the initrd resp. initramfs within directory /boot. If dracut does not work anymore ex. as a cause of updates, rename the new-kernel-version to the old-kernel-version in Makefile and make bzImage once again.
If you use grub as the bootloader and not grub2 and the configufile is still not configured for the new kernel, do this by editing /boot/grub/menu.lst and exchanging the vmlinuz-kernel-versions. If a new initramfs or initrd is created, enter them in the line for initrd.
done.

Installation guide and for tuning Linux secure: https://wiki.kairaven.de/open/os/linux/tuxsectune and https://wiki.centos.org/HowTos/OS_Protection ( in our example related to mdv2010.2 or CentOS 6 el6 with many patches/updates by Jonny Hughes, NY ). Be careful, for example with the exchange of the password-encryption from md5 to sha256 or sha512 and the /etc/system-auth. Make backup or copies!

Through "about:config" many URL can be removed out of the listing after typing in "http".

Using Compile-time-Hardening-Options
Several compile-time options (detailed below) can be used to help harden a resulting binary against memory corruption attacks or provide additional warning messages during compiles. Using "dpkg-buildflags" is the recommended way to incorporate the build flags in Debian.
See ReleaseGoals/SecurityHardeningBuildFlags for additional information, https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags.
For a step-by-step guide, see the HardeningWalkthrough, https://wiki.debian.org/HardeningWalkthrough.
Source: https://wiki.debian.org/Hardening
Fedora/CentOS etc: https://fedoraproject.org/wiki/Changes/Harden_All_Packages

Listing: Linux-Security-Updates up from year 2000, PRO-LINUX.de
... of the most important distributions with naming the closed error, bug resp. exploit
https://www.pro-linux.de/sicherheit/1/1/1.html

Recent LWN.net security pages
Here are the most recent LWN.net security pages, with a comprehensive roundup of a week´s worth security-related information.


Date Contents
Apr 12, 2017 Network security in the microservice environment; Two Project Zero reports; ..
. Apr 05, 2017 ARM pointer authentication; Quotes; Exploiting Broadcom WiFi; ...
Mar 29, 2017 refcount_t meets the network stack; Quotes; ...
Mar 22, 2017 Inline encryption support for block devices; Shim review; ..
. Mar 15, 2017 A kernel TEE party; Quotes; Struts 2 vulnerability; ...
Mar 08, 2017 A new process for CVE assignment; Smart TV bugging quotes; Threat modeling ...
Mar 01, 2017 The case of the prematurely freed SKB; SHA-1 collision and fallout; ...
Feb 22, 2017 The case against password hashers; New vulnerabilities in dropbear, kernel, nagios-core, qemu, ...
Feb 15, 2017 A look at password managers; New vulnerabilities in kernel, libevent, mysql, php, ...
Feb 08, 2017 Reliably generating good passwords; New vulnerabilities in epiphany, graphicsmagick, gstreamer (and plugins), spice, ...
Feb 01, 2017 The Internet of scary things; New vulnerabilities in ansible, chromium, kernel, mozilla, ...
Jan 25, 2017 Security training for everyone; New vulnerabilities in fedmsg, firejail, java, systemd, ...
Jan 18, 2017 Ansible and CVE-2016-9587; New vulnerabilities in bind, docker, qemu, webkit2gtk, ...
Jan 11, 2017 SipHash in the kernel; New vulnerabilities in kernel, kopete, syncthing, webkit2gtk, ...
Jan 04, 2017 Fuzzing open source; New vulnerabilities in bash, httpd, kernel, openssh, ...
Dec 22, 2016 OWASP ModSecurity Core Rule Set 3.0; New vulnerabilities in apport, kernel, libupnp, samba, ...
Dec 14, 2016 ModSecurity for web-application firewalls; New vulnerabilities in jasper, kernel, mozilla, roundcube, ...
Dec 07, 2016 Locking down module parameters; New vulnerabilities in chromium, firefox, kernel, xen, ...
Nov 30, 2016 Django debates user tracking; New vulnerabilities in drupal, firefox, kernel, ntp, ...
Nov 16, 2016 Reference-count protection in the kernel; New vulnerabilities in chromium, firefox, kernel, sudo, ...
https://lwn.net/Security/

Setting /usr read-only for the separate usr-partition
If you set /usr read-only (in /etc/fstab), you will not be able to install new packages on your Debian GNU/Linux system. You will have to first remount it read-write, install the packages and then remount it read-only. apt can be configured to run commands before and after installing packages, so you might want to configure it properly.
To do this modify /etc/apt/apt.conf and add:

DPkg
{
Pre-Invoke { "mount /usr -o remount,rw" };
Post-Invoke { "mount /usr -o remount,ro" };
};

Note that the Post-Invoke may fail with a "/usr busy" error message. This happens mainly when you are using files during the update that got updated. You can find these programs by running

# lsof +L1

Stop or restart these programs and run the Post-Invoke manually. Beware! This means you´ll likely need to restart your X session (if you´re running one) every time you do a major upgrade of your system. You might want to reconsider whether a read-only /usr is suitable for your system ( and please notice, that this might not be recommended, if there is an encrypted root-partition), see also this discussion on debian-devel about read-only /usr.
We are going to encrypt even more the complete system (FSE) by reliable LUKS, including the complete root- and home-partition (and USB-media) to set partitions unwriteable to read-only. Notice, that this does not exclude the same for a separate usr-partition.

/etc/pam.d/system-auth ( tested just on our platform and system ):

#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass likeauth
auth required pam_deny.so
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_tally2.so deny=3 onerr=fail unlock_time=60
account sufficient pam_tcb.so shadow
account required pam_deny.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_tally2.so per_user
password required pam_cracklib.so try_first_pass retry=3 minlen=6 dcredit=1 ucredit=0
password sufficient pam_unix.so try_first_pass use_authtok sha512 shadow remember=2
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

More about pam-modules:
http://www.linuxdevcenter.com/pub/a/linux/2001/09/27/pamintro.html?page=2
https://linux.die.net/man/5/pam.d

One more things with PAM:
Use encryption other than DES for your passwords (making them harder to brute-force decode).
Set resource limits on all your users so they can´t perform denial-of-service attacks (number of processes, amount of memory, etc).
Enable shadow passwords (see below) on the fly.
Allow specific users to login only at specific times from specific places.
Within a few hours of installing and configuring your system, you can prevent many attacks before they even occur. For example, use PAM to disable the system-wide usage of .rhosts files in user´s home directories by adding these lines to /etc/pam.d/rlogin:

#
# Disable rsh / rlogin / rexec for users
#
login auth required pam_rhosts_auth.so no_rhosts

Quelle: http://www.tldp.org/HOWTO/Security-HOWTO/password-security.html#AEN698

Account locking
While having strong passwords in place for user accounts can help thwart brute force attacks as mentioned previously in point 18 - Enforce strong passwords, this is only one way of slowing down this type of attack. A good indication of brute force attack is a user account that has failed to log in successfully multiple times within a short period of time, these sorts of actions should be blocked and reported. We can block these attacks by automatically locking out the account, either at the directory if in use or locally.

The pam_tally2.so PAM module can be used to lock out local accounts after a set number of failures. To get this working I have added the below line to the /etc/pam.d/password-auth file.

auth required pam_tally2.so file=/var/log/tallylog deny=3 even_deny_root unlock_time=1200

This will log all failures to the /var/log/tallylog file and lock out an account after 3 consecutive failures. By default it will not deny the root account however we can also lock out root by specifying even_deny_root (though this may not be required if you have disabled root access as per point 3 - Disable remote root access and point 4 - Disable root console access). The unlock time is the amount of seconds after a failed login attempt that an account will automatically unlock and become available again.

Failed logins can be viewed as below, to view all failures simply remove the --user flag.

[[email protected] ~]# pam_tally2 --user=bob Login Failures Latest failure From bob 4 08/21/15 19:38:23 localhost

The failure count can be manually reset by appending -reset onto this command.

pam_tally2 --user=bob --reset

If a login is successful before the limit has been reached the failure count will reset to 0. For more details see the pam_tally2 manual page by typing ´man pam_tally2´.

It´s worth noting that the manual page advises to configure this with the /etc/pam.d/login file, however I found that under CentOS 7 this did not work and needed to use the /etc/pam.d/password-auth file instead. I also tried using /etc/pam.d/system-auth which I found documented elsewhere but this also failed, so this may differ based on your operating system.

You can also manually lock and unlock local user accounts rather than waiting for the failure limit to be reached.
Lock the user account ‘bob´.https://www.rootusers.com/23-hardening-tips-to-secure-your-linux-server/#4
Quelle: https://www.rootusers.com/23-hardening-tips-to-secure-your-linux-server/

pam_tcb.so: Migrating from shadow passwords to tcb in Linux
For a more secure Linux password system, a migration from shadow passwords to tcb is worth a little extra work. Vincent Danen tells you what you need to recompile and patch.Wechsel von shadow-Passwörtern nach tcb in Linux.
"Shadow passwords have been a de facto standard with Linux distributions for years, and as well as the use of md5 passwords. However, there are drawbacks to using the traditional shadow password method, and even md5 is not as secure as it used to be. One drawback to the shadow password file is that any application that requires looking up a single shadow password (i.e., your password) also can look at everyone else´s shadow passwords, which means that any compromised tool that can read the shadow file will be able to obtain everyone´s shadow password."

Install pam_tcb (like pam_tcb(pclos) and other pam-module-rpm). If the encryption should be blowfish, install the package bcrypt.

Source and howto: https://www.techrepublic.com/article/migrating-from-shadow-passwords-to-tcb-in-linux/
alternatively: Migrating to tcb, http://www.opennet.ru/man.shtml?topic=tcb_convert&category=8&russian=2

After performing the howto (but still resigning from blowfish and the deletion of the shadow-files), our modified /etc/pam.d/system-auth has got the include:

#%PAM-1.0
auth optional pam-mount.so try_first_pass
auth required pam_env.so
auth sufficient pam_tcb.so
auth required pam_deny.so
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_tally2.so deny=3 onerr=fail unlock_time=1200
account sufficient pam_tcb.so
account required pam_deny.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_tally2.so per_user
password required pam_cracklib.so try_first_pass retry=3 minlen=6 dcredit=1 ucredit=1
password sufficient pam_tcb.so use_authtok tcb write_to=tcb
password required pam_deny.so
session optional pam_mount.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_tcb.so

and /etc/pam.d/password-auth:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.

auth required pam_env.so
auth required pam_tally2.so file=/var/log/tallylog deny=3 even_deny_root unlock_time=1200
auth sufficient pam_tcb.so shadow fork prefix=DOLLARSIGN2aDOLLARSIGN count=8
auth required pam_deny.so
account required pam_tcb.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_tcb.so try_first_pass use_authtok sha512 shadow
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_tcb.so

with /etc/nsswitch.conf
shadow: compat +user +root +surfuser +toruser -anonymous -bin -daemon -uuidd -rtkit -sync -mail -news -avahi -haldaemon -ALL tcb
You should try the originally meant "shadow: tcb nisplus nis" instead and set hosts to "hosts: files ... dns ..." into this recommended order.
and with pam_tcb.so for all pam_unix.so in /etc/pam.d/*
This all makes the computer once more mouseclick-fast and secure.

Disable Root Console Access
The previous step disables remote access for the root account, however it will still be possible for root to log in through any console device. Depending on the security of your console access you may wish to leave root access in place, otherwise it can be removed by clearing the /etc/securetty file as shown below.

echo > /etc/securetty

This file lists all devices that root is allowed to login to, the file must exist otherwise root will be allowed access through any communication device available whether that be console or other.

With no devices listed in this file root access has been disabled. It is important to note that this does not prevent root from logging in remotely with SSH for instance, that must be disabled as outlined in point 3 - Disable remote root access above.

Access to the console itself should also be secured, a physical console can be protected by the information covered in point 13 - Physical security.

https://www.rootusers.com/23-hardening-tips-to-secure-your-linux-server/

Limited amount of processes, source. Arch Linux
On systems with many or untrusted users, it is important to limit the number of processes each can run at once, therefore preventing fork bombs and other denial of service attacks. /etc/security/limits.conf determines how many processes each user, or group can have open, and is empty (except for useful comments) by default. adding the following lines to this file will limit all users to 100 active processes, unless they use the prlimit command to explicitly raise their maximum to 200 for that session. These values can be changed according to the appropriate number of processes a user should have running, or the hardware of the box you are administrating. Do not set the limit too low. System can malfunction.

* soft nproc 300
* hard nporc 320
# user soft nproc 200
# user hard nproc 250
# surfuser soft nproc 60
# surfuser hard nporc 80
toruser soft nproc 80
toruser hard nporc 100

librepository (el6), libsafec-check (fc30, fc29): Finds unsafe APIs This once more makes computer mouseclick-fast!

Bastille, msec, rkhunter, chkrootkit, clamav (clamscan, klamav), maldetect, checksec, seccheck, xsysinfo, smartd, nessus, tkcvs and cervisia, ...
At this place think of programs like bastille and msec (rosa2016.1, rosa2014.1) to check out lacks in system security, before going on with the manual configuration hook by hook. Such programs with own graphical frontends resp. wizards protocol lacks in security and are able to automatically reconfigure the system even more secure.

Two-Factor-Authentification
Two factor authentication can be implemented for SSH access or other application login, it will improve login security by adding a second factor of authentication, that is the password is typically known as something you know, while the second factor may be a physical security token or mobile device which acts as something you have. The combination of something you know and something you have ensures that you are more likely who you say you are.

There are custom applications available for this such as Duo Securityand Google Authenticator as well as many others. These typically involve installing an application on a smart phone and then entering the generated code alongside your username and password when you authenticate.
Google Authenticator can be used for many other applications than just SSH, such as for WordPress login with third party plugin support.
https://www.rootusers.com/23-hardening-tips-to-secure-your-linux-server/

... can´t believe it, remark by Gooken:

As executed programs (processes), think of text processing and terminal, do already exist in the RAM...

All INTEL-CPU-generations since Celeron
"We can read out everything!", tagesschau.de, 04.01.2017
As a consequence of a newspaper-report scientific researches from the Technical University Graz exposed the newest security-exploit in many computer processors. "We were shocked ourself, that this functions", said Michael Schwarz from TU Graz to "Tagesspiegel".
By this exploit all data could be read out, that are in actual process by the computer. "In Principle we could read out all actually entered by the keyboard." Attackers could also get data from Onlinebanking or stored passwords. "Therefore they must intrude into the computer", Schwarz restricted.

Serious hard lack in security in all Intel-CPUs, PC-WELT, 03.01.2018
A serious hard lack was found in Intel-processors of the last 10 years (excpet the one introduced by us in our data-sheed, rem., Gooken). Its closure costs performance.
https://www.pcwelt.de/a/schwere-luecke-in-allen-intel-cpus-entdeckt,3449263
What to do:
Data sheed: Plattform: ITX-220: is not listed in the table for exploited mainboards by Intel (1) and an exploit remaind undetected as the helping-tool for belonging system-analyzes from Intel indicated (intel-sa00086.zip for Linux) (2). Result: Modul MEI (2) can not be found (this module can be integrated by the command "modprobe mei" manually or within /etc/modules each boot or dracut right up from the system-start).

Is there a workaround/fix?

- There are patches against Meltdown for Linux ( KPTI (formerly KAISER)), Windows, and OS X. There is also work to harden software against future exploitation of Spectre, respectively to patch software after exploitation through Spectre, https://meltdownattack.com/
- iucode-tool (pclos2018)
- CPU: mouseclick-fast and secure: microcode_ctl ( do not get irritated by any other versions, install fast working (microcode_ctl-1.17-33.23.el6_10.x86_64.rpm, fc29: 2.1-34, rosa2016.1) upon el6 ) or ucode-intel ( OpenSuSE, >= 20190618-lp151.2.3.1.x86_64.rpm ), against ZombieLoad too (in order to get activated by console), we recommend the mouseclick-fast microcode_ctl (rosa2016.1), upon microcode_ctl (el6, rpm -i --force). Take the fastest actual microcode_ctl like microcode_ctl-1.17-33.23.el6_10.x86_64.rpm, fc29, rosa2016.1. In order to use microcode_ctl, flash the CPU by executing the command "microcode_ctl -Qu" each boot after entering it in /etc/rc.local or out of /usr/share/autostart. If it is not booted, the CPU will work upon its initial (default) microcode again.


Howto start microcode_ctl, for example add into /etc/rc.local:

echo 1 > /sys/devices/system/cpu/microcode/reload sh /usr/libexec/microcode_ctl/reload_microcode
or
start microcode_ctl automatically each boot by belonging udev-rule (number 83).

Changelog microcode_ctl
* Fr Dez 15 2017 Petr Oros poros@redhat.com - 1:1.17-25.2
- Update Intel CPU microde for 06-3f-02, 06-4f-01 and 06-55-04
- Add amd microcode_amd_fam17h.bin data file
- Resolves: #1527357
- Intel: Tools for ME-security-exploits, 24.11.2017, https://www.pro-linux.de/news/1/25369/intel-werkzeug-f%C3%BCr-me-sicherheitsl%C3%BCcken-vorgestellt.html
- kernel-4.20.13 with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (el6: Version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: Version 008)) and the reintegrated KPTI-/KAISER-patch
- "modprobe mei" or start or stop the load of module mei in /etc/modules by entering resp. removing the line "mei" MEI in this matter was mentionded in Intel-security-checks as one part of the main risk.
- Update Firefox to 57.0.4 resp. 52.5.3-ESR (OpenSuSE) - Security fixes to address the Meltdown and Spectre timing attacks - https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ - Require new nss 3.34 (fixed rhbz#1531031) - Disabled ARM on all Fedoras due to rhbz#1523912
- Nvidia vs. Spectre: New Nvidia-drivers protect against Spectre-CPU-attacks, https://www.pcwelt.de/a/neue-nvidia-treiber-schuetzen-vor-spectre-cpu-attacken,3449339 NVIDIA graphics drivers (USN-3521-1, https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown?_ga=2.181440484.2145149635.1515760095-1741249263.1499327986)
- Webkitgtk+ (USN-3530-1)
- QEMU (USN-3560-1)
- libvirt (USN-3561-1)
- Cloud Images: Cloud images which address CVE-2017-5753 and CVE-2017-5715 (aka Spectre) and CVE-2017-5754 (aka Meltdown) are available for https://cloud-images.ubuntu.com from for the following releases: ...

Beneath microcode_ctl (rosa2016.1, el6) look out for actual kernel-firmware (el6) and kernel-headers (el6) too. Take those from year2020, making it all mouseclick-fast !

Firewall Linfw3 against Meltdown and Spectre: Set group "nobody" for the group of surfuser (with primary group nobody) and only allow surfuser with one more group of surfuser named surfgroup for example (instead of nobody) to go online. Linfw3 is able to block even root (UID: root, 0, GID: root, 0). So noone is allowed to go online through Linfw3 else surfuser with group surfgroup (instead of his primary group "nobody"), what prevents device drivers from exchaning data - as in this case caused by Meltdown and Spectre To go paranoid, to make it even more confusing for kernel and CPU, set all directories and files owned by surfuser to it´s primary group "nobody".

Test, if the system is secure now, protected well against Meltdown and Spectre, type into terminal the command:

head /sys/devices/system/cpu/vulnerabilities/*

You can update the kernel, if not.
https://www.pcwelt.de/tipps/CPU-Sicher-vor-Meltdown-Spectre-und-Co-10593390.html

Integrate sensors and chips from mainboard:
Paket lm_sensors (pclos)
sensors-detect
modprobe for found modules: enter them into /etc/modules ( for ITX-220: it87, coretemp, i2c-dev, mei)
Notice: It might be mouseclick-fast and more seucre not to enter them into /etc/modules.
LAN-Chip: eventually activate it through CMOS-BIOS-Setup (default: inactive)

Logging off idle users
Idle users are usually a security problem, a user might be idle maybe because he´s out to lunch or because a remote connection hung and was not re-established. For whatever the reason, idle users might lead to a compromise:

because the user´s console might be unlocked and can be accessed by an intruder.

because an attacker might be able to re-attach to a closed network connection and send commands to the remote shell (this is fairly easy if the remote shell is not encrypted as in the case of telnet).

Some remote systems have even been compromised through an idle (and detached) screen.

Automatic disconnection of idle users is usually a part of the local security policy that must be enforced. There are several ways to do this:

If bash is the user shell, a system administrator can set a default TMOUT value (see bash(1)) which will make the shell automatically log off remote idle users. Note that it must be set with the -o option or users will be able to change (or unset) it.

Install timeoutd and configure /etc/timeouts according to your local security policy. The daemon will watch for idle users and time out their shells accordingly.

Install autolog and configure it to remove idle users.

The timeoutd or autolog daemons are the preferred method since, after all, users can change their default shell or can, after running their default shell, switch to another (uncontrolled) shell.

Linux: TMOUT To Automatically Log Users Out
last updated May 18, 2011 in Categories BASH Shell, Linux

How do I auto Logout my shell user in Linux after certain minutes of inactivity?
Linux bash shell allows you to define the TMOUT environment variable. Set TMOUT to automatically log users out after a period of inactivity. The value is defined in seconds. For example,

export TMOUT=120

The above command will implement a 2 minute idle time-out for the default /bin/bash shell. You can edit your ~/.bash_profile or /etc/profile file as follows to define a 5 minute idle time out:

# set a 5 min timeout policy for bash shell
TMOUT=300
readonly TMOUT
export TMOUT

Save and close the file. The readonly command is used to make variables and functions readonly i.e. you user cannot change the value of variable called TMOUT.
How Do I Disable TMOUT?

To disable auto-logout, just set the TMOUT to zero or unset it as follows:
DOLLARSIGN export TMOUT=0

or

DOLLARSIGN unset TMOUT

Please note that readonly variable can only be disabled by root in /etc/profile or ~/.bash_profile
https://www.cyberciti.biz/faq/linux-tmout-shell-autologout-variable/

Or assign a value for SHELL_TIMEOUT (TMOUT) in /etc/security/msec/level.secure
SHELL_TIMEOUT=300

Restricting access to kernel pointers in the proc filesystem, source: Arch Linux
Note: linux-hardened sets kptr_restrict=2 by default rather than 0.
Enabling kernel.kptr_restrict will hide kernel symbol addresses in /proc/kallsyms from regular users without CAP_SYSLOG, making it more difficult for kernel exploits to resolve addresses/symbols dynamically. This will not help that much on a pre-compiled Arch Linux kernel, since a determined attacker could just download the kernel package and get the symbols manually from there, but if you´re compiling your own kernel, this can help mitigating local root exploits. This will break some perf commands when used by non-root users (but many perf features require root access anyway). See FS#34323 for more information.
/etc/sysctl.d/50-kptr-restrict.conf
kernel.kptr_restrict = 1

Next point fstab-Option hidepid for proc from source Arch Linux should be applied once more at your own risk:
hidepid
"Warning: This may cause issues for certain applications like an application running in a sandbox and Xorg.
. The kernel has the ability to hide other user-processes, normally accessible via /proc, from unprivileged users by mounting the proc filesystem with the hidepid= and gid= options documented here.
This greatly complicates an intruder´s task of gathering information about running processes, whether some daemon runs with elevated privileges, whether other user runs some sensitive program, whether other users run any program at all, makes it impossible to learn whether any user runs a specific program (given the program doesn´t reveal itself by its behaviour), and, as an additional bonus, poorly written programs passing sensitive information via program arguments are now protected against local eavesdroppers.
The proc group, provided by the filesystem package, acts as a whitelist of users authorized to learn other users´ process information. If users or services need access to /proc/ directories beyond their own, add them to the group.
For example, to hide process information from other users except those in the proc group:
/etc/fstab
proc /proc proc nosuid,nodev,noexec,hidepid=2,gid=proc 0 0 "

In the following and therefore just for our paranoid view, only some more security-points, now from debian.org, https://www.debian.org/doc/manuals/securing-debian-howto/ch1.en.html up to https://www.debian.org/doc/manuals/securing-debian-howto/ch12.en.html, might interest like:

Choose a BIOS password
Before you install any operating system on your computer, set up a BIOS password. After installation (once you have enabled bootup from the hard disk) you should go back to the BIOS and change the boot sequence to disable booting from floppy, CD-ROM and other devices that shouldn´t boot. Otherwise a cracker only needs physical access and a boot disk to access your entire system.
Disabling booting unless a password is supplied is even better. This can be very effective if you run a server, because it is not rebooted very often. The downside to this tactic is that rebooting requires human intervention which can cause problems if the machine is not easily accessible.
Note: many BIOSes have well known default master passwords, and applications also exist to retrieve the passwords from the BIOS. Corollary: don´t depend on this measure to secure console access to system.
Set

- Supervisor Password
- User Access Level from Full Access, View Only or Limited to No Access - this prevents user acsess onto the BIOS-Setup-Utility, so that no changes of the settings are possible anymore. Now the BIOS is protected.
- User Password
- Password Check from (only for BIOS-)Setup to Always

Turn Off IPv6
If you´re not using a IPv6 protocol, then you should disable it because most of the applications or policies not required IPv6 protocol and currently it doesn´t required on the server. Go to network configuration file and add followings lines to disable it.

nano /etc/sysconfig/network
NETWORKING_IPV6=no
IPV6INIT=no

https://www.tecmint.com/linux-server-hardening-security-tips/

Boot-process: If the message "Can not stat ( a named ) initscript" occurs during system boot, delete this initscript through all six runlevel and in directory init.d by
rm -df /etc/rc0.d/initscript-name
rm -df /etc/rc1.d/initscript-name
...
rm -df /etc/rc6.d/initscript-name
rm -df /etc/init.d/initscript-name

Activate resp. deactivate kernel-moduls
Get a listing of the kernel-modules by the terminal command lsmod.
In order to make the computer mouseclick-fast, all kernel modules without essential use have to be removed from /etc/rc.modules, while this file enpossibles to integrate modules by the command &quto;modprobe Modulname" added to the last line.
. Following our example-hardware from datasheed, the control-modules it87 und i2c-dev can be disabled and the service envoking them named lm_sensors deactivated.

/etc/X11/xorg.conf, mouseclick-fast for IGP INTEL-GMA-945, the PS2-mouse (optical or trackball), keyboard on USB-port:
/etc/X11/xorg.conf

Section "ServerFlags"
Option "DontZap" "True" # disable <Ctrl> <Alt> <BS>(server abort)
#DontZoom # disable <Ctrl> <Alt> <KP_+> /<KP_->(resolution switching)
AllowMouseOpenFail # allows the server to start up even if the mouse does not work
Option "DontVTSwitch" "True"
EndSection

Section "Module"
Load "dbe" # Double-Buffering Extension
Load "v4l" # Video for Linux
Load "type1"
Load "freetype"
Load "extmod"
Load "glx" # 3D layer
Load "dri" # direct rendering
EndSection

Section "Files"
ModulePath "/usr/lib64/xorg/modules"
ModulePath "/usr/lib64/xorg/modules/extensions"
FontPath "/usr/share/fonts/X11/misc"
FontPath "/usr/share/fonts/X11/cyrillic"
FontPath "/usr/share/fonts/X11/100dpi/:unscaled"
FontPath "/usr/share/fonts/X11/75dpi/:unscaled"
FontPath "/usr/share/fonts/X11/Type1"
FontPath "/usr/share/fonts/X11/100dpi"
FontPath "/usr/share/fonts/X11/75dpi"
FontPath "/var/lib/defoma/x-ttcidfont-conf.d/dirs/TrueType"
FontPath "built-ins"
EndSection

Section "Monitor"
Identifier "monitor1" HorizSync 47.7
VertRefresh 59.8
DisplaySize 361 203
# Monitor preferred modeline (59.8 Hz vsync, 47.7 kHz hsync, ratio 16/9, 84 dpi)
ModeLine "1366x768" 85.5 1366 1436 1579 1792 768 771 774 798 -hsync +vsync

# modeline generated by gtf(1) [handled by XFdrake]
ModeLine "1280x720_60" 74.48 1280 1336 1472 1664 720 721 724 746 -HSync +Vsync

# modeline generated by gtf(1) [handled by XFdrake]
ModeLine "1280x720_50" 60.47 1280 1328 1456 1632 720 721 724 741 -HSync +Vsync
EndSection

Section "Device"
Identifier "device1" VendorName "Intel Corporation"
BoardName "Intel 810 and later"
Driver "intel"
BusID "PCI:0:2:0"
Screen 0
Option "DPMS"
Option "ZaphodHeads" "VGA1"
Option "AccelMethod" "sna"

#Option "AccelMethod" "exa"

#Option "AccelMethod" "uxa"

#Option "AccelMethod" "glamour"
Option "MigrationHeuristic" "greedy"
#Option "EXAPixmaps" "off"
Option "DRI" "3"
#Option "DRI" "2"
Option "TearFree" "off"
Option "ColorTiling" "on"
Option "ColorTiling2D" "on"
Option "EnablePageFlip" "on"
#Option "ShadowPrimary" "on"
### Available Driver options are:-
### Values: <i> : integer, <f> : float, <bool> : "True"/"False",
### <string> : "String", <freq> : "<f>Hz/kHz/MHz",
### <percent> : "<f> %"
### [arg]: arg optional
# left by default https://www.mankier.com/4/intel
#Option "Backlight" # [<str> ]
#Option "XvPreferOverlay" # [<bool> ]
#Option "VideoKey" # [<bool> ]
#Option "ReprobeOutputs" # [<bool> ]
#Option "ZaphodHeads" # <str>
#Option "Accel" # [<bool> ]
#Option "ReprobeOutputs" # [<bool> ]
#Option "Present" # [<bool> ]
#Option "DebugFlushCaches" # [<bool> ]
#Option "DebugFlushBatches" # [<bool> ]
#Option "FallbackDebug" # [<bool> ]
#Option "CustomeEDID" # [<bool> ]
#Option "VSync" # [<bool> ]
#Option "PageFlip" # [<bool> ]
#Option "HWRotation" # [<bool> ]
#Option "DebugWait" # [<bool> ]
#Option "SwapbuffersWait" # [<bool> ]
#Option "Tiling" # [<bool> ]
#Option "LinearFramebuffer" # [<bool> ]
#Option "RelaxedFencing" # [<bool> ]
#Option "XvMC" # [<bool> ]
#Option "HotPlug" # [<bool> ]
#Option "Virtualheads" # <i>
#Option "Throttle" # [<bool> ]
#Option "NoAccel" # [<bool> ]
#Option "AccelMethod" # <str>
#Option "Backlight" # <str>
#Option "ColorKey" # <i>
#Option "VideoKey" # <i>
#Option "Tiling" # [<bool> ]
#Option "LinearFramebuffer" # [<bool> ]
#Option "SwapbuffersWait" # [<bool> ]
#Option "XvPreferOverlay" # [<bool> ]
#Option "HotPlug" # [<bool> ]
#Option "RelaxedFencing" # [<bool> ]
#Option "XvMC" # [<bool> ]
#Option "Throttle" # [<bool> ]
#Option "DelayedFlush" # [<bool> ]
#Option "TearFree" # [<bool> ]
#Option "PerCrtcPixmaps" # [<bool> ]
#Option "FallbackDebug" # [<bool> ]
#Option "DebugFlushBatches" # [<bool> ]
#Option "DebugFlushCaches" # [<bool> ]
#Option "DebugWait" # [<bool> ]
#Option "BufferCache" # [<bool> ]
#Option "TripleBuffer" # [<bool> ]
#Option "SWcursor" # [<bool> ]
#Option "kmsdev" # <str>
#Option "ShadowFB" # [<bool> ]
#Option "Rotate" # <str> Option "fbdev" "on"
#Option "debug" # [<bool> ]
#Option "ShadowFB" # [<bool> ]
#Option "DefaultRefresh" # [<bool> ]
#Option "ModeSetClearScreen" # [<bool> ]
EndSection

Section "Screen"
Identifier "screen1"
Device "device1"
Monitor "monitor1"
DefaultColorDepth 24

Subsection "Display"
Depth 24
Modes "1366x768" "1360x765" "1280x720" "1024x768"
EndSubsection
EndSection

Section "ServerLayout"
Identifier "layout1"
Screen "screen1&# File generated by XFdrake (rev )

# **********************************************************************
# Refer to the xorg.conf man page for details about the format of
# this file.
# **********************************************************************

Section "ServerFlags" Option "DontZap" "true" # disable <Ctrl> <Alt> <BS>(server abort)
#DontZoom # disable <Ctrl> <Alt> <KP_+> /<KP_->(resolution switching)
Option "AllowMouseOpenFail" "true" # allows the server to start up even if the mouse does not work
Option "DontVTSwitch" "true"
Option "DPMS" "true"
EndSection

Section "Module"
Load "dbe" # Double-Buffering Extension
Load "v4l" # Video for Linux
Load "type1"
Load "freetype"
Load "extmod"
Load "glx" # 3D layer
Load "dri" # direct rendering
EndSection
Section "Extensions"
# compiz needs Composite, but it can cause bad (end even softreset-resistant)
# effects in some graphics cards, especially nv.
Option "Composite" "Enable"
EndSection

Section "Files"
ModulePath "/usr/lib64/xorg/modules"
ModulePath "/usr/lib64/xorg/modules/extensions"
FontPath "/usr/share/fonts/X11/misc"
FontPath "/usr/share/fonts/X11/cyrillic"
FontPath "/usr/share/fonts/X11/100dpi/:unscaled"
FontPath "/usr/share/fonts/X11/75dpi/:unscaled"
FontPath "/usr/share/fonts/X11/Type1"
FontPath "/usr/share/fonts/X11/100dpi"
FontPath "/usr/share/fonts/X11/75dpi"
FontPath "/var/lib/defoma/x-ttcidfont-conf.d/dirs/TrueType"
FontPath "built-ins"
EndSection

Section "Monitor"
Identifier "monitor1"
HorizSync 47.7
VertRefresh 59.8
DisplaySize 361 203
# Monitor preferred modeline (59.8 Hz vsync, 47.7 kHz hsync, ratio 16/9, 84 dpi)
ModeLine "1366x768" 85.5 1366 1436 1579 1792 768 771 774 798 -hsync +vsync

# modeline generated by gtf(1) [handled by XFdrake]
ModeLine "1280x720_60" 74.48 1280 1336 1472 1664 720 721 724 746 -HSync +Vsync

# modeline generated by gtf(1) [handled by XFdrake]
ModeLine "1280x720_50" 60.47 1280 1328 1456 1632 720 721 724 741 -HSync +Vsync
EndSection

Section "Device"
Identifier "device1" VendorName "Intel Corporation"
BoardName "Intel 810 and later"
Driver "intel"
BusID "PCI:0:2:0"
Screen 0
Option "DPMS"
Option "ZaphodHeads" "VGA1"
Option "AccelMethod" "sna"

#Option "AccelMethod" "exa"

#Option "AccelMethod" "uxa"

#Option "AccelMethod" "glamour"
Option "MigrationHeuristic" "greedy"

#Option "EXAPixmaps" "off"
Option "DRI" "3"
#Option "DRI" "2"
Option "TearFree" "off"
Option "ColorTiling" "on"
Option "ColorTiling2D" "on"
Option "EnablePageFlip" "on"
#Option "ShadowPrimary" "on"
### Available Driver options are:-
### Values: <i> : integer, <f> : float, <bool> : "True"/"False",
### <string> : "String", <freq> : "<f>Hz/kHz/MHz",
### <percent> : "<f> %"
### [arg]: arg optional
# left by default https://www.mankier.com/4/intel
#Option "Backlight" # [<str> ]
#Option "XvPreferOverlay" # [<bool> ]
#Option "VideoKey" # [<bool> ]
#Option "ReprobeOutputs" # [<bool> ]
#Option "ZaphodHeads" # <str>
#Option "Accel" # [<bool> ]
#Option "ReprobeOutputs" # [<bool> ]
#Option "Present" # [<bool> ]
#Option "DebugFlushCaches" # [<bool> ]
#Option "DebugFlushBatches" # [<bool> ]
#Option "FallbackDebug" # [<bool> ]
#Option "CustomeEDID" # [<bool> ]
#Option "VSync" # [<bool> ]
#Option "PageFlip" # [<bool> ]
#Option "HWRotation" # [<bool> ]
#Option "DebugWait" # [<bool> ]
#Option "SwapbuffersWait" # [<bool> ]
#Option "Tiling" # [<bool> ]
#Option "LinearFramebuffer" # [<bool> ]
#Option "RelaxedFencing" # [<bool> ]
#Option "XvMC" # [<bool> ]
#Option "HotPlug" # [<bool> ]
#Option "Virtualheads" # <i>
#Option "Throttle" # [<bool> ]
#Option "NoAccel" # [<bool> ]
#Option "AccelMethod" # <str>
#Option "Backlight" # <str>
#Option "ColorKey" # <i>
#Option "VideoKey" # <i>
#Option "Tiling" # [<bool> ]
#Option "LinearFramebuffer" # [<bool> ]
#Option "SwapbuffersWait" # [<bool> ]
#Option "XvPreferOverlay" # [<bool> ]
#Option "HotPlug" # [<bool> ]
#Option "RelaxedFencing" # [<bool> ]
#Option "XvMC" # [<bool> ]
#Option "Throttle" # [<bool> ]
#Option "DelayedFlush" # [<bool> ]
#Option "TearFree" # [<bool> ]
#Option "PerCrtcPixmaps" # [<bool> ]
#Option "FallbackDebug" # [<bool> ]
#Option "DebugFlushBatches" # [<bool> ]
#Option "DebugFlushCaches" # [<bool> ]
#Option "DebugWait" # [<bool> ]
#Option "BufferCache" # [<bool> ]
#Option "TripleBuffer" # [<bool> ]
#Option "SWcursor" # [<bool> ]
#Option "kmsdev" # <str>
#Option "ShadowFB" # [<bool> ]
#Option "Rotate" # <str>
Option "fbdev" "on"
#Option "debug" # [<bool> ]
#Option "ShadowFB" # [<bool> ]
#Option "DefaultRefresh" # [<bool> ]
#Option "ModeSetClearScreen" # [<bool> ]
EndSection

Section "Screen"
Identifier "screen1"
Device "device1"
Monitor "monitor1"
DefaultColorDepth 24

Subsection "Display"
Depth 24
Modes "1366x768" "1360x765" "1280x720" "1024x768"
EndSubsection
EndSection

Section "ServerLayout"
Identifier "layout1" Screen "screen1"
InputDevice "Keyboard0" "CoreKeyboard"
InputDevice "Mymouse1" "CorePointer"
Option "AIGLX" "true"
EndSection
# LOGITECH OPTICAL PS2-PORT-MOUSE
Section "InputDevice"
Identifier "Mymouse1"
Driver "mouse"

#Option "Device" "/dev/ttyS0"
Option "Protocol" "ImPS/2"

#Option "Device" "/dev/psaux"

#Option "Device" "/dev/ttyS0"

Option "Device" "/dev/input/mice"
Option "Emulate3Buttons" "true"
Option "CorePointer"

#Option "Protocol" "Auto"
#Option "Protocol" "ExplorerPS/2"

#Option "Protocol" "auto"

Option "ZAxisMapping" "4 5"
#Option "ZAxisMapping" "4 5 6 7"
EndSection

Section "InputDevice"
# generated from default
Identifier "Keyboard0"
Driver "kbd"
Option "CoreKeyboard"
Option "XkbRules" "xorg"
Option "XkbModel" "pc105"
Option "XkbLayout" "de"

EndSection

InputDevice "Keyboard0" "CoreKeyboard"
InputDevice "Mymouse1" "CorePointer"
EndSection
Section "InputDevice"
Identifier "Mymouse1"
Driver "mouse"

<BR>
#Option "Device" "/dev/ttyS0"
Option "Protocol" "ImPS/2"
#Option "Device" "/dev/psaux"

#Option "Device" "/dev/ttyS0"
Option "Device" "/dev/input/mice"
Option "Emulate3Buttons" "true"
Option "CorePointer"
#Option "Protocol" "Auto"
#Option "Protocol" "ExplorerPS/2"

#Option "Protocol" "auto"
Option "ZAxisMapping" "4 5"
#Option "ZAxisMapping" "4 5 6 7"
EndSection

Section "InputDevice"
# generated from default
Identifier "Keyboard0"
Driver "kbd"
Option "CoreKeyboard"
Option "XkbRules" "xorg"
Option "XkbModel" "pc105"
Option "XkbLayout" "de"
EndSection

Do not plug to the Internet until ready
The system should not be immediately connected to the Internet during installation. This could sound stupid but network installation is a common method. Since the system will install and activate services immediately, if the system is connected to the Internet and the services are not properly configured you are opening it to attack.

Run the minimum number of services required
Services are programs such as ftp servers and web servers. Since they have to be listening for incoming connections that request the service, external computers can connect to yours. Services are sometimes vulnerable (i.e. can be compromised under a given attack) and hence present a security risk. Unwanted servces might be: telnet, ftp, smbd and nmbd (Samba), portmap (NFS), automount (NFS, network file system), rexec, named (DNS), lpd (printer), inetd, ...
https://www.tecmint.com/remove-unwanted-services-from-linux/

Set a LILO or GRUB password
What matters for updates, should almost be not the version of the rpm but the new release of one and the same version (backport-concept).

umask (see man umask): recommended values:
/etc/fstab: option umask 077 at least for the root- and home-Partition
~/.bashrc: umask 077 # for all user
~/.bashrc-profile: umask 077 # for all user
/etc/profile: umask 022 # to keep most of all accessible for a user

Disable root prompt on the initramfs
Note: This applies to the default kernels provided for releases after Debian 3.1
Linux 2.6 kernels provide a way to access a root shell while booting which will be presented during loading the initramfs on error. This is helpful to permit the administrator to enter a rescue shell with root permissions. This shell can be used to manually load modules when autodetection fails. This behavior is the default for initramfs-tools generated initramfs. The following message will appear:

"ALERT! /dev/sda1 does not exist. Dropping to a shell!

In order to remove this behavior you need to set the following boot argument:panic=0. Add this to the variable GRUB_CMDLINE_LINUX in /etc/default/grub and issue update-grub or to the append section of /etc/lilo.conf.

Remove root prompt on the kernel
Note: This does not apply to the kernels provided for Debian 3.1 as the timeout for the kernel delay has been changed to 0.
Linux 2.4 kernels provide a way to access a root shell while booting which will be presented just after loading the cramfs file system. A message will appear to permit the administrator to enter an executable shell with root permissions, this shell can be used to manually load modules wheX11-Servern autodetection fails. This behavior is the default for initrd´s linuxrc. The following message will appear:

Press ENTER to obtain a shell (waits 5 seconds)

In order to remove this behavior you need to change /etc/mkinitrd/mkinitrd.conf and set:

# DELAY The number of seconds the linuxrc script should wait to # allow the user to interrupt it before the system is brought up DELAY=0

Then regenerate your ramdisk image. You can do this for example with:

# cd /boot # mkinitrd -o initrd.img-2.4.18-k7 /lib/modules/2.4.18-k7

or (preferred):

# dpkg-reconfigure -plow kernel-image-2.4.x-yz

Restricting console login access
Some security policies might force administrators to log in to the system through the console with their user/password and then become superuser (with su or sudo). This policy is implemented in Debian by editing the /etc/pam.d/login and the /etc/securetty when using PAM (make a backup, before doing this!):

/etc/pam.d/login enables the pam_securetty.so module. This module, when properly configured will not ask for a password when the root user tries to login on an insecure console, rejecting access as this user.
securetty by adding/removing the terminals to which root access will be allowed. If you wish to allow only local console access then you need console, ttyX and vc/X (if using devfs devices), you might want to add also ttySX, if you are using a serial console for local access (where X is an integer, you might want to have multiple instances. The default configuration for Wheezy includes many tty devices, serial ports, vc consoles as well as the X server and the console device. You can safely adjust this if you are not using that many consoles. You can confirm the virtual consoles and the tty devices you have by reviewing /etc/inittab . For more information on terminal devices read the Text-Terminal-HOWTO.

When using PAM, other changes to the login process, which might include restrictions to users and groups at given times, can be configured in /etc/pam.d/login. An interesting feature, that can be disabled, is the possibility to login with null (blank) passwords. This feature can be limited by removing nullok from the line:

auth required pam_unix.so nullok

Our /etc/pam.d/login:

%PAM-1.0
auth required pam-securetty.so
auth required pam_tally2.so deny=3 even_deny_root unlock_time=2400
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
-session optional pam_ck_connector.so

securetty
is the file, where to add or delete terminals for the login of root. If a local access by console should be allowed only, then add console, ttyX and vc/X ( if devfs-interface is used, where X is an integer ).
https://www.debian.org/doc/manuals/securing-debian-howto/ch4.de.html

The primary entry types and their affects are as follows:
If /etc/securetty doesn´t exist, root is allowed to login from any tty
If /etc/securetty exist and is empty, root access will be restricted to single user mode or programs, that are not restricted by pam_securetty (i.e. su, sudo, ssh, scp, sftp)
if you are using devfs (a deprecated filesystem for handling /dev), adding entries of the form vc/[0-9]* will permit root login from the given virtual console number
if you are using udev (for dynamic device management and replacement for devfs), adding entries of the form tty[0-9]* will permit root login from the given virtual console number
listing console in securetty, normally has no effect since /dev/console points to the current console and is normally only used as the tty filename in single user mode, which is unaffected by /etc/securetty
adding entries like pts/[0-9]* will allow programs that use pseudo-terminals (pty) and pam_securetty to login into root assuming the allocated pty is one of the ones listed; it´s normally a good idea not to include these entries because it´s a security risk; it would allow, for instance, someone to login into root via telenet, which sends passwords in plaintext (note that pts/[0-9]* is the format for udev which is used in RHEL 5.5; it will be different if using devfs or some other form of device management)
For single user mode, /etc/securetty is not consulted because the sulogin is used instead of login. See the sulogin man page for more info. Also you can change the login program used in /etc/inittab for each runlevel.
https://unix.stackexchange.com/questions/41840/effect-of-entries-in-etc-securetty

Restricting system reboots through the console
If your system has a keyboard attached to it anyone (yes anyone) with physical access to the system can reboot the system through it without login in just pressing the Ctrl+Alt+Delete keyboard combination, also known as the three finger salute. This might, or might not, adhere to your security policy.
This is aggravated in environments in which the operating system is running virtualised. In these environments, the possibility extends to users that have access to the virtual console (which might be accessed over the network). Also note that, in these environments, this keyboard combination is used constantly (to open a login shell in some GUI operating systems) and an administrator might virtually send it and force a system reboot.

There are two ways to restrict this:
configure it so that only allowed users can reboot the system, disable this feature completely.

If you want to restrict this, you must check the /etc/inittab so that the line that includes ctrlaltdel calls shutdown with the -a switch.
The default in Debian includes this switch:

ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now

The -a switch, as the shutdown(8) manpage describes,makes it possible to allow some users to shutdown the system. For this the file /etc/shutdown.allow must be created and the administrator has to include there the name of users which can boot the system. When the three finger salute combination is pressed in a console the program will check if any of the users listed in the file are logged in. If none of them is, shutdown will not reboot the system.
If you want to disable the Ctrl+Alt+Del combination you just need to comment the line with the ctrlaltdel definition in the /etc/inittab.
Remember to run init q after making any changes to the /etc/inittab file for the changes to take effect.

Restricting the use of the Magic SysRq key
The Magic SysRq key is a key combination that allows users connected to the system console of a Linux kernel to perform some low-level commands. These low-level commands are sent by pressing simultaneously Alt+SysRq and a command key. The SysRq key in many keyboards is labeled as the Print Screen key.
Since the Etch release, the Magic SysRq key feature is enabled in the Linux kernel to allow console users certain privileges. You can confirm this by checking if the /proc/sys/kernel/sysrq exists and reviewing its value:

DOLLARSIGN cat /proc/sys/kernel/sysrq
438

The default value shown above allows all of the SysRq functions except for the possibility of sending signals to processes. For example, it allow users connected to the console to remount all systems read-only, reboot the system or cause a kernel panic. In all the features are enabled, or in older kernels (earlier than 2.6.12) the value will be just 1.
You should disable this functionality ifaccess to the console is not restricted to authorised users: the console is connected to a modem line, there is easy physical access to the system or it is running in a virtualised environment and other users access the console. To do this edit the /etc/sysctl.conf and add the following lines:

# Disables the magic SysRq key
kernel.sysrq = 0

User authentication: PAM
PAM (Pluggable Authentication Modules) allows system administrators to choose how applications authenticate users. Note that PAM can do nothing unless an application is compiled with support for PAM. Most of the applications that are shipped with Debian have this support built in (Debian did not have PAM support before 2.2). The current default configuration for any PAM-enabled service is to emulate UNIX authentication (read /usr/share/doc/libpam0g/Debian-PAM-MiniPolicy.gz for more information on how PAM services should work in Debian).
Each application with PAM support provides a configuration file in /etc/pam.d/ which can be used to modify its behavior:

what backend is used for authentication.

what backend is used for sessions.

how do password checks behave.

The following description is far from complete, for more information you might want to read the Linux-PAM Guides as a reference. This documentation is available in the system if you install the libpam-doc at /usr/share/doc/libpam-doc/html/.
PAM offers you the possibility to go through several authentication steps at once, without the user´s knowledge. You could authenticate against a Berkeley database and against the normal passwd file, and the user only logs in if the authentication succeeds in both. You can restrict a lot with PAM, just as you can open your system doors very wide. So be careful. A typical configuration line has a control field as its second element. Generally it should be set to requisite, which returns a login failure if one module fails.
More about PAM: https://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html, chapter 4.11

User login actions: edit /etc/login.defs (make a backup, before doing this!)
The next step is to edit the basic configuration and action upon user login. Note that this file is not part of the PAM configuration, it´s a configuration file honored by login and su programs, so it doesn´t make sense tuning it for cases where neither of the two programs are at least indirectly called (the getty program which sits on the consoles and offers the initial login prompt does invoke login).

FAILLOG_ENAB yes

If you enable this variable, failed logins will be logged. It is important to keep track of them to catch someone who tries a brute force attack.

LOG_UNKFAIL_ENAB no

If you set this variable to ´yes´ it will record unknown usernames if the login failed. It is best if you use ´no´ (the default) since, otherwise, user passwords might be inadvertenly logged here (if a user mistypes and they enter their password as the username). If you set it to ´yes´, make sure the logs have the proper permissions (640 for example, with an appropriate group setting such as adm).

SYSLOG_SU_ENAB yes

This one enables logging of su attempts to syslog. Quite important on serious machines but note that this can create privacy issues as well.

SYSLOG_SG_ENAB yes

The same as SYSLOG_SU_ENAB but applies to the sg program.

ENCRYPT_METHOD SHA512

As stated above, encrypted passwords greatly reduce the problem of dictionary attacks, since you can use longer passwords. This definition has to be consistent with the value defined in /etc/pam.d/common-password.

User login actions: edit /etc/pam.d/login (make a backup, before doing this!)
You can adjust the login configuration file to implement an stricter policy. For example, you can change the default configuration and increase the delay time between login prompts. The default configuration sets a 3 seconds delay:

auth optional pam_faildelay.so delay=3000000

Increasing the delay value to a higher value to make it harder to use the terminal to log in using brute force. If a wrong password is typed in, the possible attacker (or normal user!) has to wait longer seconds to get a new login prompt, which is quite time consuming when you test passwords. For example, if you set delay=10000000, users will have to wait 10 seconds if they type a wrong password.

In this file you can also set the system to present a message to users before a user logs in. The default is disabled, as shown below:

# auth required pam_issue.so issue=/etc/issue

If required by your security policy, this file can be used to show a standard message indicating that access to the system is restricted and user acess is logged. This kind of disclaimer might be required in some environments and jurisdictions. To enable it, just include the relevant information in the /etc/issue [24] file and uncomment the line enabling the pam_issue.so module in /etc/pam.d/login. In this file you can also enable additional features which might be relevant to apply local security policies such as:

setting rules for which users can access at which times, by enabling the pam_time.so module and configuring /etc/security/time.conf accordingly (disabled by default),

setup login sessions to use user limits as defined in /etc/security/limits.conf (enabled by default),

present the user with the information of previous login information (enabled by default),

print a message (/etc/motd and /run/motd.dynamic) to users after login in (enabled by default),

Restricting ftp: editing /etc/ftpusers (make a backup, before doing this!)
The /etc/ftpusers file contains a list of users who are not allowed to log into the host using ftp. Only use this file if you really want to allow ftp (which is not recommended in general, because it uses clear-text passwords). If your daemon supports PAM, you can also use that to allow and deny users for certain services.
A convenient way to add all system accounts to the /etc/ftpusers is to run

DOLLARSIGN awk -F : ´{if (DOLLARSIGN3<1000) print DOLLARSIGN1}´ /etc/passwd > /etc/ftpusers

Disallow remote administrative access
You should also modify /etc/security/access.conf to disallow remote logins to administrative accounts. This way users need to invoke su (or sudo) to use any administrative powers and the appropriate audit trace will always be generated.
You need to add the following line to /etc/security/access.conf, the default Debian configuration file has a sample line commented out (making your system mouseclick-fast; do not forget to make a backup of this file, before doing this!).
As already described commented in in /etc/security/access.conf, for root and system user and user:
:

# User "root" should be denied to get access from all other sources.
- : root : ALL
- : user : ALL
- : surfuser : 127.0.0.0/24
- : toruser : 127.0.0.0/24
- : uuidd : ALL
- . messagebus: ALL
- : wheel:ALL EXCEPT LOCAL
- : ftp : ALL
- : mail : ALL
- : pop3ad : ALL
- : bin : ALL
- : daemon : ALL
- : adm : ALL
- : sync : ALL
- : halt : ALL
- : news : ALL
# All other users should be denied to get access from all sources.
: ALL : ALL

Look out for other important options in this file too. Remember to enable the pam_access module for every service (or default configuration) in /etc/pam.d/ if you want your changes to /etc/security/access.conf honored.

Configuring syncookies
This option is a double-edged sword. On the one hand it protects your system against syn packet flooding; on the other hand it violates defined standards (RFCs).

net/ipv4/tcp_syncookies = 1

If you want to change this option each time the kernel is working you need to change it in /etc/network/options by setting syncookies=yes. This will take effect when ever /etc/init.d/networking is run (which is typically done at boot time) while the following will have a one-time effect until the reboot:

echo 1 > /proc/sys/net/ipv4/tcp_syncookies # e.g. within /etc/rc.local

This option will only be available if the kernel is compiled with the CONFIG_SYNCOOKIES. All Debian kernels are compiled with this option builtin but you can verify it running:

DOLLARSIGN sysctl -A |grep syncookies
net/ipv4/tcp_syncookies = 1

For more information on TCP syncookies read http://cr.yp.to/syncookies.html.

Disabling weak-end hosts issues
Systems with more than one interface on different networks can have services configured so that they will bind only to a given IP address. This usually prevents access to services when requested through any other address. However, this does not mean (although it is a common misconception) that the service is bound to a given hardware address (interface card).
This is not an ARP issue and it´s not an RFC violation (it´s called weak end host in RFC1122, section 3.3.4.2). Remember, IP addresses have nothing to do with physical interfaces.
On 2.2 (and previous) kernels this can be fixed with:

# echo 1 > /proc/sys/net/ipv4/conf/all/hidden
# echo 1 > /proc/sys/net/ipv4/conf/eth0/hidden
# echo 1 > /proc/sys/net/ipv4/conf/eth1/hidden

..... On later kernels this can be fixed either with:

iptables rules.

properly configured routing.

kernel patching.

Along this text there will be many occasions in which it is shown how to configure some services (sshd server, apache, printer service...) in order to have them listening on any given address, the reader should take into account that, without the fixes given here, the fix would not prevent accesses from within the same (local) network.
https://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html

Using tcpwrappers
TCP wrappers were developed when there were no real packet filters available and access control was needed. Nevertheless, they´re still very interesting and useful. The TCP wrappers allow you to allow or deny a service for a host or a domain and define a default allow or deny rule (all performed on the application level). If you want more information take a look at hosts_access(5).
Many services installed in Debian are either:

launched through the tcpwrapper service (tcpd)

compiled with libwrapper support built-in.

On the one hand, for services configured in /etc/inetd.conf (this includes telnet, ftp, netbios, swat and finger) you will see that the configuration file executes /usr/sbin/tcpd first. On the other hand, even if a service is not launched by the inetd superdaemon, support for the tcp wrappers rules can be compiled into it. Services compiled with tcp wrappers in Debian include ssh, portmap, in.talk, rpc.statd, rpc.mountd, gdm, oaf (the GNOME activator daemon), nessus and many others.

To see which packages use tcpwrappers [31] try:

DOLLARSIGN apt-cache rdepends libwrap0

Take this into account when running tcpdchk (a very useful TCP wrappers config file rule and syntax checker). When you add stand-alone services (that are directly linked with the wrapper library) into the hosts.deny and hosts.allow files, tcpdchk will warn you that it is not able to find the mentioned services since it only looks for them in /etc/inetd.conf (the manpage is not totally accurate here).

Now, here comes a small trick, and probably the smallest intrusion detection system available. In general, you should have a decent firewall policy as a first line, and tcp wrappers as the second line of defense. One little trick is to set up a SPAWN command in /etc/hosts.deny that sends mail to root whenever a denied service triggers wrappers:

ALL: ALL: SPAWN (
echo -e "n
TCP Wrappers: Connection refusedn
By: DOLLARSIGN(uname -n)n
Process: %d (pid %p)n
User: %un
Host: %cn
Date: DOLLARSIGN(date)n
" | /usr/bin/mail -s "Connection to %d blocked" root) &

Beware: The above printed example is open to a DoS attack by making many connections in a short period of time. Many emails mean a lot of file I/O by sending only a few packets.
https://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html

Protecting against ARP attacks
When you don´t trust the other boxes on your LAN (which should always be the case, because it´s the safest attitude) you should protect yourself from the various existing ARP attacks.
As you know the ARP protocol is used to link IP addresses to MAC addresses (see RFC826 for all the details). Every time you send a packet to an IP address an ARP resolution is done (first by looking into the local ARP cache then if the IP isn´t present in the cache by broadcasting an ARP query) to find the target´s hardware address. All the ARP attacks aim to fool your box into thinking that box B´s IP address is associated to the intruder´s box´s MAC address; Then every packet that you want to send to the IP associated to box B will be send to the intruder´s box...
Those attacks (ARP cache poisoning, ARP spoofing...) allow the attacker to sniff the traffic even on switched networks, to easily hijack connections, to disconnect any host from the network... ARP attacks are powerful and simple to implement, and several tools exists, such as arpspoof from the dsniff package or arpoison.
However, there is always a solution:
Use a static ARP cache. You can set up "static" entries in your ARP cache with:

arp -s host_name hdwr_addr

By setting static entries for each important host in your network you ensure that nobody will create/modify a (fake) entry for these hosts (static entries don´t expire and can´t be modified) and spoofed ARP replies will be ignored. Detect suspicious ARP traffic. You can use arpwatch, karpski or more general IDS that can also detect suspicious ARP traffic (snort, prelude...).
Implement IP traffic filtering validating the MAC address.
https://www.debian.org/doc/manuals/securing-debian-howto/ch4.de.html

Securing FTP
If you really have to use FTP (without wrapping it with sslwrap or inside a SSL or SSH tunnel), you should chroot ftp into the ftp users´ home directory, so that the user is unable to see anything else than their own directory. Otherwise they could traverse your root file system just like if they had a shell in it. You can add the following line in your proftpd.conf in your global section to enable this chroot feature:

DefaultRoot ~

Restart ProFTPd by /etc/init.d/proftpd restart and check whether you can escape from your homedir now.
To prevent ProFTPd DoS attacks using ../../.., add the following line in /etc/proftpd.conf: DenyFilter *.*/
Always remember that FTP sends login and authentication passwords in clear text (this is not an issue if you are providing an anonymous public service) and there are better alternatives in Debian for this. For example, sftp (provided by ssh). There are also free implementations of SSH for other operating systems: putty and cygwin for example.
However, if you still maintain the FTP server while making users access through SSH you might encounter a typical problem. Users accessing anonymous FTP servers inside SSH-secured systems might try to log in the FTP server. While the access will be refused, the password will nevertheless be sent through the net in clear form. To avoid that, ProFTPd developer TJ Saunders has created a patch that prevents users feeding the anonymous FTP server with valid SSH accounts. More information and patch available at: ProFTPD Patches. This patch has been reported to Debian too, see Bug #145669.
https://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html

Secure up RPC-services
Deactivate RPC abschalten (or deinstall it), if not needed.
https://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.de.html

tcp_wrapper for server

With this package you can monitor and filter incoming requests for the SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other network services.
It supports both 4.3BSD-style sockets and System V.4-style TLI. Praise yourself lucky if you don´t know what that means.
The package provides tiny daemon wrapper programs that can be installed without any changes to existing software or to existing configuration files. The wrappers report the name of the client host and of the requested service; the wrappers do not exchange information with the client or server applications, and impose no overhead on the actual conversation between the client and server applications.
Optional features are: access control to restrict what systems can connect to what network daemons; client user name lookups with the RFC 931 etc. protocol; additional protection against hosts that pretend to have someone elses host name; additional protection against hosts that pretend to have someone elses host address.

Securing Squid
Squid is one of the most popular proxy/cache server, and there are some security issues that should be taken into account. Squid´s default configuration file denies all users requests. However the Debian package allows access from ´localhost´, you just need to configure your browser properly. You should configure Squid to allow access to trusted users, hosts or networks defining an Access Control List on /etc/squid/squid.conf, see the Squid User´s Guide for more information about defining ACLs rules. Notice that Debian provides a minimum configuration for Squid that will prevent anything, except from localhost to connect to your proxy server (which will run in the default port 3128). You will need to customize your /etc/squid/squid.conf as needed. The recommended minimum configuration (provided with the package) is shown below:

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
X11-Server acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
(...)
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
#Default:
# icp_access deny all
#
#Allow ICP queries from everyone
icp_access allow all

You should also configure Squid based on your system resources, including cache memory (option cache_mem), location of the cached files and the amount of space they will take up on disk (option cache_dir).
Notice that, if not properly configured, someone may relay a mail message through Squid, since the HTTP and SMTP protocols are designed similarly. Squid´s default configuration file denies access to port 25. If you wish to allow connections to port 25 just add it to Safe_ports lists. However, this is NOT recommended.
Setting and configuring the proxy/cache server properly is only part of keeping your site secure. Another necessary task is to analyze Squid´s logs to assure that all things are working as they should be working. There are some packages in Debian GNU/Linux that can help an administrator to do this. The following packages are available in Debian 3.0 and Debian 3.1 (sarge):

calamaris - Log analyzer for Squid or Oops proxy log files.
modlogan - A modular logfile analyzer.
sarg - Squid Analysis Report Generator.
squidtaild - Squid log monitoring program.

When using Squid in Accelerator Mode it acts as a web server too. Turning on this option increases code complexity, making it less reliable. By default Squid is not configured to act as a web server, so you don´t need to worry about this. Note that if you want to use this feature be sure that it is really necessary. To find more information about Accelerator Mode on Squid see the Squid User´s Guide - Accelerator Mode


Securing printing access (the lpd and lprng issue)
Imagine, you arrive at work, and the printer is spitting out endless amounts of paper because someone is DoSing your line printer daemon. Nasty, isn´t it?
In any UNIX printing architecture, there has to be a way to get the client´s data to the host´s print server. In traditional lpr and lp, the client command copies or symlinks the data into the spool directory (which is why these programs are usually SUID or SGID).
In order to avoid any issues you should keep your printer servers especially secure. This means you need to configure your printer service so it will only allow connections from a set of trusted servers. In order to do this, add the servers you want to allow printing to your /etc/hosts.lpd.
However, even if you do this, the lpr daemon accepts incoming connections on port 515 of any interface. You should consider firewalling connections from networks/hosts which are not allowed printing (the lpr daemon cannot be limited to listen only on a given IP address).
Lprng should be preferred over lpr since it can be configured to do IP access control. And you can specify which interface to bind to (although somewhat weirdly).
If you are using a printer in your system, but only locally, you will not want to share this service over a network. You can consider using other printing systems, like the one provided by cups or PDQ which is based on user permissions of the /dev/lp0 device.
In cups, the print data is transferred to the server via the HTTP protocol. This means the client program doesn´t need any special privileges, but does require that the server is listening on a port somewhere.
However, if you want to use cups, but only locally, you can configure it to bind to the loopback interface by changing /etc/cups/cupsd.conf:

Listen 127.0.0.1:631 # This might not work! To go sure: Port 631 and Listen /var/run/cups/cups.sock

There are many other security options like allowing or denying networks and hosts in this config file. However, if you do not need them you might be better off just limiting the listening port. Cups also serves documentation through the HTTP port, if you do not want to disclose potential useful information to outside attackers (and the port is open) add also:

>Location /<
Order Deny,Allow
Deny From All
Allow From 127.0.0.1 # or try "Allow @LOCAL"
</Location>

This configuration file can be modified to add some more features including SSL/TLS certificates and crypto. The manuals are available at http://localhost:631/ or at cups.org.
FIXME: Add more content (the article on Amateur Fortress Building provides some very interesting views).
FIXME: Check if PDG is available in Debian, and if so, suggest this as the preferred printing system.
FIXME: Check if Farmer/Wietse has a replacement for printer daemon and if it´s available in Debian.
https://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html

Securing SSH, mail-service, BIND, Apache, Finger and deactivate NIS
https://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.de.html

Administrate the services: systemd since year 2013 or chkconfig
/etc/rc.local for each boot still is not registrated, so it still might not be executed, maybe the same for ip6tables and iptables. For this purpose create rc.local in /etc/init.d (by overwriting it with /etc/init.d/linfw3 for example) to change the include of previous daemon linfw3, now rc.local in /etc/init.d up to the following: start() "sh /etc/init.d/rc.local", unneeded variables removed and without stop() and restart(). Set a new chkconfig-number in the commented in line at the beginning.
To be careful, registrate the service: "chkconfig --add rc.local".
Generally, using this command, all services get visible in MCC -> service administration.
Set the hooks to activate the needed ones only or set the runlevel 0 up to 6 for each new service manually, almost like 0-OFF 1-OFF 2-OFF 3-ON 4-ON 5-ON 6-OFF.
Notice, that all runlevel-init-scripts out of /etc/init.d/ and /etc/rcX.d can also get started (start), restarted (restart) and stopped (stop) for MDV and el6 and many other distributions manually by a command like:
"sh /etc/init.d/linfw3 start".

Start of the database server mysqld (el6.remi): like rc.local above, but the bind-address has to be commented in /etc/my.cnf.
Reverse-Proxy daemon (init-script) nginx (el6): like rc.local above too, but before you do this, copy "cp -axf /usr/lib/perl5/strict.pm /usr/local/share/perl5&quto; and "cp -axf /usr/lib/perl5/warnings* /usr/local/share/perl5/".
Apache webserver daemon httpd (el6): like rc.local above, but modules have to be configured well, eventually remove them.
Print server daemon: cups (pclos)
LAN-server resp. - clients: samba-... (el6); samba is not required for single pc-workstations connected with a DSL-router
...

But before these init-scripts get started, configure the server in their own configuration-files in /etc ! ...

Detailed includes of /etc/rc.local and one more script in /usr/sbin for ACL-access-rights are listed further below. Both will be started as runlevel-init-scripts (daemons) each boot out of /etc/init.d .

Important access-rights each system-boot, meaning of UNIX/Linux-groups
Files and directories with unrestricted access-rights can be found out, even without root-rights:
The command

find / -path /proc -prune -o -type f -perm 666

finds all files within the complete file-system except within "/proc", that can be read and overwritten (write). The next one,

find / -path /proc -prune -o -type f -perm 777

lists all such files, that are executable too.

find / -path /proc -prune -o -type d -perm 777

finds directores, that are ready for read and write.

Instead of giving directorese and files the full access rights (chmod 777), it is the better to use groups for the common used files by the command

chgrp [-R] [group] [file/Directory]
https://www.pcwelt.de/ratgeber/Sechs-wichtige-Sicherheitstipps-Linux-Server-9940087.html#6

777 ->, 770, 775 -> 770, 755 ->, 750, 641 ->, 640 usw.

For this, at least following user should belong to the group of root: standard group root, uuid, lp, lpadmin, tty, user and toruser.

Be a little bit careful with this! We almost resign from this assignment of users to the group of root in main in future, but whoever wants can try to restrict even more the access rights this way...

chgrp changes the group of directories and files. For the full access by different user and groups only the access-right 770 for directories and 660 for files have to be set only..

Important access-rights set each system boot
/etc/rc.local
chown root:root / # Notice: It would be much better to enter all chown and chmod here in /etc/permissions.secure and in the adequate form there only!
chown root:root /* # -> /etc/permissions.secure
chmod 700 -R /etc/init.d
chmod 700 -R /etc/rc0.d
chmod 700 -R /etc/rc1.d
chmod 700 -R /etc/rc2.d
chmod 700 -R /etc/rc3.d
chmod 700 -R /etc/rc4.d
chmod 700 -R /etc/rc5.d
chmod 700 -R /etc/rc6.d
chmod 400 /etc/shadow*
chmod 400 path_to_encrypted_key_file_for_LUKS_encrypted_partitions
...

In order to gain a first, short overview for more access-rights within /etc/rc.local set each boot ( for a second we are going to list them more in detail soon ). They do not make the system working only secure, they also do let work it mouseclick-fast :

chmod 111 /# Notice: It would be much better to enter all chown and chmod here in /etc/permissions.secure and in the adequate form there only!
chmod 755 /usr # 755 needed for caffeine only, else 751
chmod 751 /bin
chmod 751 /var # resp. 750, if user belongs to the group of root
chmod 751 /sbin
chmod 751 /lib64
chmod 751 /usr/lib64
# chmod 751 -R /usr/lib64/python2.6
# chmod 751 -R /usr/lib/python2.6 # shall have got the same include as /usr/lib64/python2.6
chmod 751 /usr/lib64/kde4
chmod 751 /etc # resp. chmod 750, if the groups listed above belong to root, same for /opt and /var, but we won&#t follow this in future.
chmod 755 /etc/* # resp.chmod 750, if the groups listed above belong to root, same for /opt and /var, but we won&#t follow this in future.
chmod 755 /etc/bashrc
chmod 755 -R /etc/font*
chmod 755 /etc/group
chmod 755 /etc/nsswitch.conf
chmod 755 /etc/ld.so.preload
chmod 755 -R /etc/pango*
chmod 755 /etc/sysconfig/network
chmod 755 /etc/sysconfig/network-scripts
chmod 700 -R /etc/init.d
chmod 700 -R /etc/rc0.d
chmod 700 -R /etc/rc1.d
chmod 700 -R /etc/rc2.d
chmod 700 -R /etc/rc3.d
chmod 700 -R /etc/rc4.d
chmod 700 -R /etc/rc5.d
chmod 700 -R /etc/rc6.d
chown root:shadow /etc/shadow*
chmod 400 /etc/shadow*
chown root:root /etc/passwd*
chmod 644 /etc/passwd*
chown root:root /etc/fstab*
chmod 400 /etc/fstab*
chown root:root /etc/crypttab*
chmod 700 /etc/crypttab*
chown root:root /etc/mtab*
chmod 700 /etc/mtab*
chown root:root /etc/hosts
chmod 644 /etc/hosts
chown root:root /etc/mtab* chmod 644 /etc/mtab* # chmod 700: kdf arbeitet nicht
chown root:root /etc/login.defs
chmod 755 /etc/login.defs
chmod 755 -R /etc/firejail
chmod 755 -R /etc/xdg*
chmod 755 -R /etc/resolv.conf
chown root:root -R /etc/modprobe*
chmod 700 -R /etc/modprobe*
chmod 751 /opt # resp. 750, if user belongs to the group of root
chmod 751 /lib
chmod 700 /root
chmod 700 -R /etc/init.d
chmod 751 /initrd
chmod 751 /misc
chmod 700 -R /boot-save
chown root:root /usr/bin
chown root:root /usr/sbin
chown root:root /usr/lib64
chown root:root /usr/lib
chown root:root /usr/libexec
chown root:root /usr/share
chown root:root /root
chmod 700 /usr/bin/xterm # terminals (except your favorite one)
chmod 700 /usr/bin/aterm
chmod 700 /usr/bin/byobu*
chmod 700 /usr/bin/terminator*
chmod 700 /usr/bin/quadkonsole*
chmod 700 /usr/bin/lxterminal*
chmod 700 /usr/bin/yakuake*
chmod 700 /usr/bin/aterm
chmod 700 /usr/bin/multi-aterm
chmod 700 /usr/bin/tcsh*
chmod 700 /usr/bin/rxvt*
chown root:firejail /usr/bin/firejail
chmod 04750 /usr/bin/firejail # For this, surfuser must be a member of the primary group named firejail of firejail !
chmod 644 /etc/passwd
chmod 644 /etc/security/msec/*.secure
chmod 711 /home
chmod 700 /home/user
chmod 700 /home/surfuser
chmod 700 /home/uuidd
chmod 700 /home/toruser
chmod 700 -R /home/user/Dokumente
#
# from permissions (OpenSuSE, chkstat), level: secure with some changes
/ root:root 111
/root/ root:root 700
/tmp/ root:root 1777
/tmp/.X11-unix/ root:root 1777
/tmp/.ICE-unix/ root:root 1777
/dev/ root:root 755
/bin/ root:root 751
/sbin/ root:root 751
/lib/ root:root 751
/etc/ root:root 751
/home/ root:root 711
/boot/ root:root 755
/opt/ root:root 751
/usr/ root:root 755
/usr/local root:root 755
#
# /var:
#

/var/tmp/ root:root 1777
/var/log/ root:root 755
/var/spool/ root:root 755
/var/spool/mqueue/ root:root 700
/var/spool/news/ news:news 775
/var/spool/voice/ root:root 755
/var/spool/mail/ root:root 1777
/var/adm/ root:root 755
/var/adm/backup/ root:root 700
/var/cache/ root:root 755
/var/cache/man/ man:root 755
/var/run/nscd/socket root:root 666
/run/nscd/socket root:root 666
/var/run/sudo/ root:root 700
/run/sudo/ root:root 700

#
# login tracking
#
/var/log/lastlog root:root 644
/var/log/faillog root:root 600
/var/log/wtmp root:utmp 664
/var/log/btmp root:utmp 600
/var/run/utmp root:utmp 664
/run/utmp root:utmp 664

#
# some device files
#

/dev/zero root:root 666
/dev/null root:root 666
/dev/full root:root 666
/dev/ip root:root 660
/dev/initrd root:disk 660
/dev/kmem root:kmem 640

#
# /etc
#
/etc/lilo.conf root:root 600
/etc/passwd root:root 644
/etc/shadow root:shadow 400
/etc/init.d/ root:root 755
/etc/hosts root:root 644
# Changing the hosts_access(5) files causes trouble with services
# that do not run as root!
/etc/hosts.allow root:root 644
/etc/hosts.deny root:root 644
/etc/hosts.equiv root:root 644
/etc/hosts.lpd root:root 644
/etc/ld.so.conf root:root 644
/etc/ld.so.cache root:root 644

/etc/opiekeys root:root 600

/etc/ppp/ root:root 750
/etc/ppp/chap-secrets root:root 600
/etc/ppp/pap-secrets root:root 600

# sysconfig files:
/etc/sysconfig/network/providers/ root:root 700

# utempter
/usr/lib/utempter/utempter root:utmp 2755

# ensure correct permissions on ssh files to avoid sshd refusing
# logins (bnc#398250)
/etc/ssh/ssh_host_key root:root 600
/etc/ssh/ssh_host_key.pub root:root 644
/etc/ssh/ssh_host_dsa_key root:root 600
/etc/ssh/ssh_host_dsa_key.pub root:root 644 /etc/ssh/ssh_host_rsa_key root:root 600
/etc/ssh/ssh_host_rsa_key.pub root:root 644
/etc/ssh/ssh_config root:root 644
/etc/ssh/sshd_config root:root 640

#
# legacy
#
# new traceroute program by Olaf Kirch does not need setuid root any more.
/usr/sbin/traceroute root:root 755

# games:games 775 safe as long as we don´t change files below it (#103186)
# still people do it (#429882) so root:root 755 is the consequence.
/var/games/ root:root 0755

# No longer common. Set setuid bit yourself if you need it
# (#66191)
#/usr/bin/ziptool root:trusted 4750

#
# udev static devices (#438039)
#
/lib/udev/devices/net/tun root:root 0666
/lib/udev/devices/null root:root 0666
/lib/udev/devices/ptmx root:tty 0666
/lib/udev/devices/tty root:tty 0666
/lib/udev/devices/zero root:root 0666

#
# named chroot (#438045)
#
/var/lib/named/dev/null root:root 0666
/var/lib/named/dev/random root:root 0666

# opiesu is not allowed setuid root as code quality is bad (bnc#882035)
/usr/bin/opiesu root:root 0755

# we no longer make rpm build dirs 1777
/usr/src/packages/SOURCES/ root:root 0755
/usr/src/packages/BUILD/ root:root 0755
/usr/src/packages/BUILDROOT/ root:root 0755
/usr/src/packages/RPMS/ root:root 0755
/usr/src/packages/RPMS/alphaev56/ root:root 0755
/usr/src/packages/RPMS/alphaev67/ root:root 0755
/usr/src/packages/RPMS/alphaev6/ root:root 0755
/usr/src/packages/RPMS/alpha/ root:root 0755
/usr/src/packages/RPMS/amd64/ root:root 0755
/usr/src/packages/RPMS/arm4l/ root:root 0755
/usr/src/packages/RPMS/armv4l/ root:root 0755
/usr/src/packages/RPMS/armv5tejl/ root:root 0755
/usr/src/packages/RPMS/armv5tejvl/ root:root 0755
/usr/src/packages/RPMS/armv5tel/ root:root 0755
/usr/src/packages/RPMS/armv5tevl/ root:root 0755
/usr/src/packages/RPMS/armv6l/ root:root 0755
/usr/src/packages/RPMS/armv6vl/ root:root 0755
/usr/src/packages/RPMS/armv7l/ root:root 0755
/usr/src/packages/RPMS/athlon/ root:root 0755
/usr/src/packages/RPMS/geode/ root:root 0755
/usr/src/packages/RPMS/hppa2.0/ root:root 0755
/usr/src/packages/RPMS/hppa/ root:root 0755
/usr/src/packages/RPMS/i386/ root:root 0755
/usr/src/packages/RPMS/i486/ root:root 0755
/usr/src/packages/RPMS/i586/ root:root 0755
/usr/src/packages/RPMS/i686/ root:root 0755
/usr/src/packages/RPMS/ia32e/ root:root 0755
/usr/src/packages/RPMS/ia64/ root:root 0755
/usr/src/packages/RPMS/mips/ root:root 0755
/usr/src/packages/RPMS/noarch/ root:root 0755
/usr/src/packages/RPMS/pentium3/ root:root 0755
/usr/src/packages/RPMS/pentium4/ root:root 0755
/usr/src/packages/RPMS/powerpc64/ root:root 0755
/usr/src/packages/RPMS/powerpc/ root:root 0755
/usr/src/packages/RPMS/ppc64/ root:root 0755
/usr/src/packages/RPMS/ppc/ root:root 0755
/usr/src/packages/RPMS/s390/ root:root 0755
/usr/src/packages/RPMS/s390x/ root:root 0755
/usr/src/packages/RPMS/sparc64/ root:root 0755
/usr/src/packages/RPMS/sparc/ root:root 0755
/usr/src/packages/RPMS/sparcv9/ root:root 0755
/usr/src/packages/RPMS/x86_64/ root:root 0755
/usr/src/packages/SPECS/ root:root 0755
/usr/src/packages/SRPMS/ root:root 0755
#
# /etc
#
/etc/crontab root:root 600
/etc/exports root:root 644
/etc/fstab root:root 400
/etc/ftpusers root:root 644
/var/lib/nfs/rmtab root:root 644
/etc/syslog.conf root:root 600
/etc/ssh/sshd_config root:root 600
# we might want to tighten that up in the future in this profile (remove the
# ability for others to read/enter)
/etc/cron.d root:root 755
/etc/cron.daily root:root 755
/etc/cron.hourly root:root 755
/etc/cron.monthly root:root 755
/etc/cron.weekly root:root 755

#
# suid system programs that need the suid bit to work:
#
/bin/su root:root 4755
# disable at and cron for users that do not belnong to the group "trusted"
/usr/bin/at root:trusted 4750
/usr/bin/crontab root:trusted 4750
/usr/bin/gpasswd root:shadow 4755
/usr/bin/newgrp root:root 4755
/usr/bin/passwd root:shadow 4755
/usr/bin/chfn root:shadow 4755
/usr/bin/chage root:shadow 2755
/usr/bin/chsh root:shadow 4755
/usr/bin/expiry root:shadow 4755
/usr/bin/sudo root:root 4755
/usr/sbin/su-wrapper root:root 0755
# opie password system
# /usr/bin/opiepasswd root:root 4755
#
/sbin/mount.nfs root:root 0755
#
#
/usr/bin/fusermount root:trusted 4750
# needs setuid root when using shadow via NIS:
#
/sbin/unix_chkpwd root:shadow 4755
/sbin/unix2_chkpwd root:shadow 4755

# squid changes
/var/cache/squid/ squid:root 0750
/var/log/squid/ squid:root 0750
/usr/sbin/pinger squid:root 0750
+capabilities cap_net_raw=ep
/usr/sbin/basic_pam_auth root:shadow 2750

# still to be converted to utempter /usr/lib/gnome-pty-helper root:utmp 2755

#
# mixed section: most of it is disabled in this permissions.secure:
#
# video
/usr/bin/v4l-conf root:video 4750

# turned off write and wall by disabling sgid tty:
/usr/bin/wall root:tty 0755
/usr/bin/write root:tty 0755
# thttpd: sgid + executeable only for group www. Useless...
/usr/bin/makeweb root:www 2750
# pcmcia:
# Needs setuid to eject cards (#100120)
/sbin/pccardctl root:trusted 4750
# gnokii nokia cellphone software
# #66209
/usr/sbin/mgnokiidev root:uucp 755
# mailman mailing list software
# #66315
/usr/lib/mailman/cgi-bin/admin root:mailman 2755
/usr/lib/mailman/cgi-bin/admindb root:mailman 2755
/usr/lib/mailman/cgi-bin/edithtml root:mailman 2755
/usr/lib/mailman/cgi-bin/listinfo root:mailman 2755
/usr/lib/mailman/cgi-bin/options root:mailman 2755
/usr/lib/mailman/cgi-bin/private root:mailman 2755
/usr/lib/mailman/cgi-bin/roster root:mailman 2755
/usr/lib/mailman/cgi-bin/subscribe root:mailman 2755
/usr/lib/mailman/cgi-bin/confirm root:mailman 2755
/usr/lib/mailman/cgi-bin/create root:mailman 2755
/usr/lib/mailman/cgi-bin/editarch root:mailman 2755
/usr/lib/mailman/cgi-bin/rmlist root:mailman 2755
/usr/lib/mailman/mail/mailman root:mailman 2755

# libgnomesu (#75823, #175616)
/usr/lib/libgnomesu/gnomesu-pam-backend root:root 4755

#
# networking (need root for the privileged socket)
#
/usr/bin/ping root:root 0755
+capabilities cap_net_raw=ep
/usr/bin/ping6 root:root 0755
+capabilities cap_net_raw=ep
# mtr is linked against ncurses. no suid bit, for root only:
/usr/sbin/mtr root:dialout 0750
/usr/bin/rcp root:root 4755
/usr/bin/rlogin root:root 4755
/usr/bin/rsh root:root 4755

# exim
/usr/sbin/exim root:root 4755

#
# dialup networking programs
#
/usr/sbin/pppoe-wrapper root:dialout 4750
# i4l package (#100750):
/sbin/isdnctrl root:dialout 4750
# #66111
/usr/bin/vboxbeep root:trusted 0755

#
# linux text console utilities
#
# setuid needed on the text console to set the terminal content on ctrl-o
# #66112
/usr/lib/mc/cons.saver root:root 0755

#
# terminal emulators
# This and future SUSE products have support for the utempter, a small helper
# program that does the utmp/wtmp update work with the necessary rights.
# The use of utempter obsoletes the need for sgid bits on terminal emulator
# binaries. We mention screen here, but all other terminal emulators have
# moved to /etc/permissions, with modes set to 0755.

# needs setuid to access /dev/console
# framebuffer terminal emulator (japanese)
/usr/bin/jfbterm root:tty 0755

#
# kde
# (all of them are disabled in permissions.secure except for
# the helper programs)
#
# needs setuid root when using shadow via NIS:
# #66218
/usr/lib/kde4/libexec/kcheckpass root:shadow 4755
/usr/lib64/kde4/libexec/kcheckpass root:shadow 4755
/usr/lib/kde4/libexec/kdesud root:nogroup 2755
/usr/lib64/kde4/libexec/kdesud root:nogroup 2755
/usr/lib/libexec/kf5/kdesud root:nogroup 2755
/usr/lib64/libexec/kf5/kdesud root:nogroup 2755

# bnc#523833
/usr/lib/kde4/libexec/start_kdeinit root:root 4755
/usr/lib64/kde4/libexec/start_kdeinit root:root 4755

#
# amanda
#
/usr/sbin/amcheck root:amanda 0750
/usr/lib/amanda/calcsize root:amanda 0750
/usr/lib/amanda/rundump root:amanda 0750
/usr/lib/amanda/planner root:amanda 0750
/usr/lib/amanda/runtar root:amanda 0750
/usr/lib/amanda/dumper root:amanda 0750
/usr/lib/amanda/killpgrp root:amanda 0750

#
# gnats
#
/usr/lib/gnats/gen-index gnats:root 4555
/usr/lib/gnats/pr-edit gnats:root 4555
/usr/lib/gnats/queue-pr gnats:root 4555


#
# news (inn)
#
# the inn start script changes it´s uid to news:news. Later innbind
# is called by this user. Those programs do not need to be called by
# anyone else, therefore the strange permissions 4554 are required
# for operation. (#67032, #594393)
#
/usr/lib/news/bin/rnews news:uucp 4550
/usr/lib/news/bin/inews news:news 2555
/usr/lib/news/bin/innbind root:news 4550

#
# sendfax
#
# restrictive, only for "trusted" group users:
/usr/lib/mgetty+sendfax/faxq-helper fax:root 4755
/var/spool/fax/outgoing/ fax:root 0755
/var/spool/fax/outgoing/locks fax:root 0755

#
# uucp
#
/var/spool/uucppublic/ root:uucp 1770
/usr/bin/uucp uucp:uucp 6555
/usr/bin/uuname uucp:uucp 6555
/usr/bin/uustat uucp:uucp 6555
/usr/bin/uux uucp:uucp 6555
/usr/lib/uucp/uucico uucp:uucp 6555
/usr/lib/uucp/uuxqt uucp:uucp 6555

# pcp (bnc#782967)
/var/lib/pcp/tmp/ root:root 0755
/var/lib/pcp/tmp/pmdabash/ root:root 0755
/var/lib/pcp/tmp/mmv/ root:root 0755
/var/lib/pcp/tmp/pmlogger/ root:root 0755
/var/lib/pcp/tmp/pmie/ root:root 0755

# PolicyKit (#295341)
/usr/lib/PolicyKit/polkit-set-default-helper polkituser:root 4755
/usr/lib/PolicyKit/polkit-read-auth-helper root:polkituser 2755
/usr/lib/PolicyKit/polkit-revoke-helper root:polkituser 2755
/usr/lib/PolicyKit/polkit-explicit-grant-helper root:polkituser 2755
/usr/lib/PolicyKit/polkit-grant-helper root:polkituser 2755
/usr/lib/PolicyKit/polkit-grant-helper-pam root:polkituser 4750

# polkit new (bnc#523377)
/usr/lib/polkit-1/polkit-agent-helper-1 root:root 4755
/usr/bin/pkexec root:root 4755

# dbus-1 (#333361)
/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 4750
/lib64/dbus-1/dbus-daemon-launch-helper root:messagebus 4750
# dbus-1 in /usr #1056764)
/usr/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 4750
/usr/lib64/dbus-1/dbus-daemon-launch-helper root:messagebus 4750

# policycoreutils (#440596)
/usr/bin/newrole root:root 0755

# VirtualBox (#429725)
/usr/lib/virtualbox/VirtualBox root:vboxusers 0755
# bsc#1120650
/usr/lib/virtualbox/VirtualBoxVM root:vboxusers 0750
/usr/lib/virtualbox/VBoxHeadless root:vboxusers 0755
/usr/lib/virtualbox/VBoxSDL root:vboxusers 0755
# (bnc#533550)
/usr/lib/virtualbox/VBoxNetAdpCtl root:vboxusers 0755
# bnc#669055
/usr/lib/virtualbox/VBoxNetDHCP root:vboxusers 0755
# bsc#1033425
/usr/lib/virtualbox/VBoxNetNAT root:vboxusers 0755

# open-vm-tools (bnc#474285)
/usr/bin/vmware-user-suid-wrapper root:root 0755

# lockdev (bnc#588325)
/usr/sbin/lockdev root:lock 2755

# hawk (bnc#665045)
/usr/sbin/hawk_chkpwd root:haclient 4750
/usr/sbin/hawk_invoke root:haclient 4750

# chromium (bnc#718016)
/usr/lib/chrome_sandbox root:root 4755

# ecryptfs-utils (bnc#740110)
/sbin/mount.ecryptfs_private root:root 0755

# wireshark (bsc#957624)
/usr/bin/dumpcap root:wireshark 0750
+capabilities cap_net_raw,cap_net_admin=ep

# singularity (bsc#1028304)
# these have been dropped in version 2.4 (see bsc#1111411, comment 4)
#/usr/lib/singularity/bin/expand-suid root:singularity 4750
#/usr/lib/singularity/bin/create-suid root:singularity 4750
#/usr/lib/singularity/bin/export-suid root:singularity 4750
#/usr/lib/singularity/bin/import-suid root:singularity 4750
/usr/lib/singularity/bin/action-suid root:singularity 4750
/usr/lib/singularity/bin/mount-suid root:singularity 4750
/usr/lib/singularity/bin/start-suid root:singularity 4750

/usr/bin/su root:root 4755
/usr/bin/mount root:root 4755
/usr/bin/umount root:root 4755

# cdrecord of cdrtools from Joerg Schilling (bnc#550021)
# in secure mode, no provisions are made for reliable cd burning, as admins
# will have very likely prohibited that anyway.
/usr/bin/cdrecord root:root 755
/usr/bin/readcd root:root 755
/usr/bin/cdda2wav root:root 755

# qemu-bridge-helper (bnc#765948, bsc#988279)
/usr/lib/qemu-bridge-helper root:kvm 04750

# systemd-journal (bnc#888151)
/var/log/journal/ root:systemd-journal 2755

#iouyap (bnc#904060)
/usr/lib/iouyap root:iouyap 0750

# radosgw (bsc#943471)
/usr/bin/radosgw root:www 0750
+capabilities cap_net_bind_service=ep

# gstreamer ptp (bsc#960173)
/usr/lib/gstreamer-1.0/gst-ptp-helper root:root 0755
+capabilities cap_net_bind_service=ep

#
# suexec is only secure if the document root doesn´t contain files
# writeable by wwwrun. Make sure you have a safe server setup
# before setting the setuid bit! See also
# https://bugzilla.novell.com/show_bug.cgi?id=263789
# http://httpd.apache.org/docs/trunk/suexec.html
# You need to override this in permissions.local.
# suexec2 is a symlink for now, leave as-is
#
/usr/sbin/suexec root:root 0755

# newgidmap / newuidmap (bsc#979282, bsc#1048645)
/usr/bin/newgidmap root:shadow 4755
/usr/bin/newuidmap root:shadow 4755

# kwayland (bsc#1062182)
/usr/bin/kwin_wayland root:root 0755
+capabilities cap_sys_nice=ep

# gvfs (bsc#1065864)
/usr/lib/gvfs/gvfsd-nfs root:root 0755

# icinga2 (bsc#1069410)
/run/icinga2/cmd icinga:icingagmd 2750

# fping (bsc#1047921)
/usr/sbin/fping root:root 0755
+capabilities cap_net_raw=ep

# usbauth (bsc#1066877)
/usr/bin/usbauth-npriv root:usbauth 04750
/usr/lib/usbauth-notifier root:usbauth-notifier 0750
/usr/lib/usbauth-notifier/usbauth-notifier root:usbauth 02755

# spice-gtk (bsc#1101420)
/usr/bin/spice-client-glib-usb-acl-helper root:kvm 04750

# smc-tools (bsc#1102956)
/usr/lib/libsmc-preload.so root:root 04755
/usr/lib64/libsmc-preload.so root:root 04755

# lxc (bsc#988348)
/usr/lib/lxc/lxc-user-nic root:kvm 04750

# firejail (bsc#1059013) /usr/bin/firejail root:firejail 04750 # For this, surfuser must be member of the primary group named firejail of firejail !

# authbind (bsc#1111251)
/usr/lib/authbind/helper root:root 04755

# fuse3 (bsc#1111230)
/usr/bin/fusermount3 root:trusted 04750

# 389-ds (bsc#1111564)
/usr/sbin/ns-slapd root:dirsrv 0750
/ root:root 111
/home root:root 711
/home/user user:user 700
/home/surfuser surfuser:surfuser 700
/home/toranonym toruser:torgroup 700
/usr/src root:root 700
/usr/lib64 root:root 751
/usr/lib64/kde4 root:root 751
/usr root:root 755
/bin root:root 751
/sbin root:root 751
/lib64 root:root 751
/lib root:root 751
/root root:root 700
/initrd root:root 751
/misc root:root 751
/boot-save root:root 000
/usr/games root:root 751
/net root:root 751
/secoff root:root 710
/sid-root root:root 700
/srv root:root 751
/sys root:root 751
/var root:root 751
/mnt root:root 755
/media root:root 711
/initrd root:root 751
/etc/security/msec/*.secure root:root 751
/usr/local root:root 755
/usr/local/Brother root:root 755
/GenuineIntel.bin root:root 710
/Module.symvers root:root 751
/usr/lib/cups root:root 755
/usr/share/cups root:root 755
/etc/cups root:root 755
/smack root:root 700
/usr/share root:root 755
/usr/share/* root:root 755
/usr/libexec root:root 751
/usr/libexec/* root:root 755
/usr/lib64/kde4 root:root 751
/home/user/Dokumente user:user 700
/home/user/Dokumente/* user:user 700
/home/user/.kde4 user:user 700
/home/user/.kde4/* user:user 700
/home/user/.kde4/share/apps/kmail/mail user:user 700
/home/user/.kde4/share/apps/kmail/mail/*/*/* user:user 700
/home/surfuser/.mozilla surfuser:surfuser 100
/var/cache root:root 755
/var/cache/cups root:root 775
/var/cache/cups/ppds.dat lp:sys 600
/var/cache/cups/job.cache root:nobody 640
/var/cache/cups/help.index lp:sys 600
/var/cache/pdnsd pdnsd:pdnsd 755
/var/cache/pdnsd/pdnsd.cache pdnsd:pdnsd 755
/var/cache/coolkey root:root 755
/var/cache/urpmi root:root 755
/var/cache/apparmor root:root 755
/home/uuidd uuidd:uuidd 700
/usr/libexec root:root 755
/usr/lib/cups/filter root:sys 755 # Gruppe sys, abhängig von /etc/cups/cupsd.conf
/usr/lib/cups/filter/* root:sys 755
/usr/lib/cups/driver root:sys 755
/usr/lib/cups/driver/* root:sys 755
/usr/share/cups/ root:sys 755
/usr/share/cups/* root:sys 755
/usr/share/cups/model/ root:sys 755
/var/spool root:root 755
/var/spool/MailScanner root:root 755
/usr/lib/cups/filter/* root:sys 755
/usr/lib/cups/driver/* root:sys 755
/usr/share/cups/* root:sys 755
/etc/cups root:sys 755
/etc/cups/* root:sys 755
/var/cache/cups root:nobody 775
/var/cache/cups/rss root:nobody 775
/lib64/ld*.so root:root 755
/lib64/libc-*.so root:root 755
/usr/lib64/kde4 root:root 751
/usr/lib64/kde4/* root:root 755
/usr/share root:root 755
/usr/games root:root 751
/etc/security/msec/*.secure root:root 751
/usr/local root:root 755
/usr/share/* root:root 755

Start permissions for example in /etc/rc.local: chkstat --set --no-fscaps /etc/permissions # rpm "permissions" from OpenSuSE (even possible for CentOS 6)
chkstat --set --no-fscaps /etc/permissions.secure # configuration from right above
chkstat --set --no-fscaps /etc/permissions.local # ... but configure it at first!

CAPABILITIES
capsh, getcap, setcap, ...
linux - Using capsh to drop all capabilities - Stack Overflow
root: All caps are assigned to root by default !
pub enum Capability { CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH, CAP_FOWNER, CAP_FSETID, CAP_KILL, CAP_SETGID, CAP_SETUID, CAP_SETPCAP Drops the capability for the current process via a call to cap_drop_bound.0x0000003fffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,37...
Capabilities:
capsh --print Current: = Bounding set = Securebits: 00/0x0/1'b0 secure-noroot: no (unlocked) secure-no-suid-fixup: no (unlocked) secure-keep-caps: no (unlocked) uid=10101(u0_a101) gid=10101...
/etc/permissions.secure :
...
/usr/sbin/pinger squid:root 0750
+capabilities cap_net_raw=ep
...
/usr/bin/ping root:root 0755
+capabilities cap_net_raw=ep
...
stackoverflow.com/questions/28811823/using-capsh-to-drop-all-capabilities

/etc/rc.local (complete, vollständig)
#!/bin/sh
#
### BEGIN INIT INFO
# Provides: rc.local
# X-Mandriva-Compat-Mode
# Default-Start: 2 3 4 5
# Short-Description: Local initialization script
# Description: This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don´t
# want to do the full Sys V style init stuff.
### END INIT INFO
sysctl -p /etc/sysctl.conf
auditctl -e0
echo 1 > /sys/devices/system/cpu/microcode/reload
# microcode_ctl -Qu
sh /usr/libexec/microcode_ctl/reload_microcode
hdparm -W1a0A0 /dev/sda # mausklick-schnelle SSD am S-ATA-Port, beachte die Anschlussnummer (1: sda, 2: sdb, ...)
echo deadline > /sys/block/sdb/queue/scheduler
echo 500 > /proc/sys/vm/dirty_writeback_centisecs
echo 20 > /proc/sys/vm/dirty_ratio
echo 5 > /proc/sys/vm/dirty_background_ratio
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "" > /etc/securetty
# https://en.wikipedia.org/wiki/TCP_congestion-avoidance_algorithm # cat /proc/sys/net/ipv4/tcp_congestion_control
# modprobe tcp_htcp
modprobe sch_fq_codel
modprobe tcp_cubic
# modprobe tcp_bbr
# echo sch_fq_codel > /proc/sys/net/core/default_qdisc
echo cubic > /proc/sys/net/ipv4/tcp_congestion_control
macchanger --mac=ac:22:ca:00:00:c1 eth0
echo sch_fq_codel > /proc/sys/net/core/default_qdisc
xhost -
xhost +si:localuser:user
xhost -inet6:user@
xhost -nis:user@
xhost - 192.168.178.1
xhost - 192.168.178.40
# echo 1 > /proc/sys/net/ipv4/conf/all/hidden # or net.ipv4.conf.all.hidden=1 within /etc/sysctl.conf
# echo 1 > /proc/sys/net/ipv4/conf/eth0/hidden
# echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects
# echo 0 > /proc/sys/net/ipv4/conf/all/shared_media
# echo 1 > /proc/sys/net/ipv4/conf/eth0/secure_redirects
# echo 0 > /proc/sys/net/ipv4/conf/eth0/shared_media
touch /var/lock/subsys/local
modprobe usblp
modprobe usb_storage
ifconfig eth0 -multicast
ifconfig lo -multicast
ifconfig lo -broadcast
ip link set eth0 multicast off
ip link set lo multicast off
sh /etc/init.d/ip6tables restart # wenn iptables-ipv6 (el6) neben iptables (el6) installiert worden ist; Der gesamte Traffic innerhalb des neuen Adressraums IPv6 wird auf INPUT, OUTPUT und FORWARD mit Linfw3 geblockt, siehe Regeln innerhalb /etc/sysconfig/ip6tables. Anstelle dieses totalen Blocks können alle IPv4-Regeln von Linfw3 in /usr/local/LINFW3.sh nach /etc/sysconfig/ip6tables übernommen werden, indem ipt="iptables" mit ipt="ip6tables" ausgestauscht wird. Überprüfe außerdem, ob /sbin/ip6tables* richtig mit /sbin/ip6tables-multi verlinkt ist.
mount -t securityfs -o rw,noatime /sys/kernel/security /mnt2
#sh /etc/init.d/syslog start
sh /etc/init.d/rsyslog start
cp -fp /etc/hosts.savenew /etc/hosts
cp -fp /etc/pdnsd-savenew.conf /etc/pdnsd.conf
# cp -fp /boot-save/ifcfg-eth0* /etc/sysconfig/network-scripts/
cp -fp /boot-save/70-persistent-net.rules /etc/udev/rules.d/
export RESOLV_HOST_CONF="/etc/hosts"
# sh /etc/init.d/incrond start
# sh /etc/init.d/noflushd start
# gpg-agent --daemon --use-standard-socket
# atieventsd
# dhclient -4 -cf /etc/dhcp/dhclient.conf eth0 &
# NetworkManager --log-level=ERR
# preload
# ifup eth0
# acpid&
# dnssec-triggerd
# unbound -dv -c /etc/unbound/unbound.conf
# tcpd &
# sh /etc/init.d/xfs start
# sh /etc/init.d/psad start
# paxctld -c /etc/paxctld.conf -d -p /var/run/paxctld
# dnscrypt-proxy --daemonize --user=pdnsd --local-address 127.0.0.2:53 -r 192.168.178.1 -l --tcp-port 443 /dev/null
# dnscrypt-proxy --daemonize --user=pdnsd --local-address 127.0.0.2:53 -r 208.67.222.222 --tcp-port 443 -l /dev/null
# dnscrypt-proxy --daemonize --user=pdnsd --local-address 127.0.0.2:53 -r 213.73.91.35 --tcp-port 443 -l /dev/null
# cp -fp /var/cache/pdnsd.cache /var/cache/pdnsd-savenew.cache
# speechd
# artsd&
# killall plymouthdxhost -
# sh /etc/init.d/lpd start
# redshift -l 60:10 -t 6500K:6200K&
sh /etc/init.d/modules-disabled start# kernel.modules_disabled=1, here after 45 seconds
chkstat --set --no-fscaps /etc/permissions # rpm permissions form OpenSuSE
chkstat --set --no-fscaps /etc/permissions.secure
#apparmor_parser -af /etc/apparmor/profiles/extras/usr.lib.firefox.firefox &
#apparmor_parser -af /etc/apparmor/profiles/sbin.dhclient &
#apparmor_parser -af /etc/apparmor/profiles/usr.bin.man &
#apparmor_parser -af /etc/apparmor/profiles/usr.bin/passwd &
#apparmor_parser -af /etc/apparmor/profiles/extras/usr.lib.firefox.sh &
# /usr/lib64/apparmorapplet&
unshare apparmor-dbus &
echo "ALLOW_REBOOT=yes" >> /etc/security/msec/security.conf
echo "BASE_LEVEL=secure" > /etc/security/msec/security.conf
echo "ENABLE_STARTUP_MSEC=yes" > /etc/security/msec/security.conf
echo "ENABLE_STARTUP_PERMS=enforce" > /etc/security/msec/security.conf
msec -f secure # msec: rpm from Mandriva Linux and Rosalabs
# chmod 666 /dev/usb/lp0 # besser: Sämtliche chown und chmod in /etc/permissions.secure in der vorgesehenen Form eintragen!
chown pdnsd:pdnsd -R /var/cache/pdnsd
chmod 755 /var/cache/pdnsd/pdnsd.cache
chown root:root /etc/hosts
chmod 400 /usr/local/key
chmod 644 /etc/hosts
chmod 111 /
chmod 751 /etc
chmod 755 /etc/sysconfig/network
chmod 755 /etc/sysconfig/network-scripts
chmod 400 /etc/shadow*
chmod 400 /etc/fstab*
chmod 700 /etc/crypttab*
chmod 700 /etc/mtab*
chmod 711 /home
chmod 700 /home/user
chmod 700 /home/surfuser
chmod 700 -R /home/surfuser/.mozilla
chown root:root /home/surfuser/.mozilla/firefox/profile.default/user.js
chmod 755 /home/surfuser/.mozilla/firefox/profile.default/user.js
chown root:root /home/surfuser/.mozilla/firefox/prefs.js
chmod 755 /home/surfuser/.mozilla/firefox/prefs.js
chmod 700 -R /home/surfuser/.moon*
chmod 700 -R /usr/src
chmod 751 /etc/X11
chmod 751 /usr/lib64
chmod 751 /usr/lib64/kde4
chmod 700 /home/toruser
chmod 700 -R /home/user/Dokumente
chmod 700 /home/uuidd
chmod 400 /usr/local/ke*
chmod 755 /usr
chmod 751 /bin
chmod 751 /sbin
chmod 751 /lib64
chmod 751 /opt
chmod 751 /lib
chmod 700 /root
chmod 700 -R /etc/init.d
chmod 751 /initrd
chmod 751 /misc
chmod 700 -R /boot-save
chmod 644 /etc/passwd
chmod 751 /usr/games
chmod 751 /net
chmod 710 /secoff
chmod 700 /sid-root
chmod 700 /smack
chmod 751 /srv
chmod 751 /sys
chmod 700 /typo3i*
chmod 751 /var
chmod 700 /lost*found
chmod 710 /intel-ucode*
chmod 751 /initrd
chmod 710 /GenuineIntel.bin
chmod 751 /etc/security/msec/*.secure
chmod 751 /Module.symvers
rm -df /home/surfuser/.Xauth*.*
rm -df /home/surfuser/.xauth*
rm -df /home/toruser/.xauth*
rm -df /home/toruser/.Xauth*.*
rm -df /home/user/.kde4/share/apps/kmail/mail/Spam/cur/*
rm -df /var/spool/cups/a*
rm -df /var/spool/cups/b*
rm -df /var/spool/cups/c*
rm -df /var/spool/cups/d*
rm -df /var/spool/cups/e*
rm -df /var/spool/cups/f*
rm -df /var/spool/cups/g*
rm -df /var/spool/cups/h*
rm -df /var/spool/cups/i*
rm -df /var/spool/cups/j*
rm -df /var/spool/cups/k*
rm -df /var/spool/cups/l*
rm -df /var/spool/cups/m*
rm -df /var/spool/cups/o*
rm -df /var/spool/cups/p*
rm -df /var/spool/cups/q*
rm -df /var/spool/cups/r*
rm -df /var/spool/cups/s*
rm -df /var/spool/cups/u*
rm -df /var/spool/cups/v*
rm -df /var/spool/cups/w*
rm -df /var/spool/cups/x*
rm -df /var/spool/cups/y*
rm -df /var/spool/cups/z*
echo ´V´ > /dev/watchdog
sh /etc/init.d/dosetfacls start# Script dosetfacls right up in the following
exit

Also create file (runlevel-init-script)
/etc/init.d/dosetfacls

Erzeuge noch
/etc/init.d/dosetfacls

#!/bin/sh
#
# This is file /etc/rc.d/init.d/linfw3 and was put here
# by the linfw3 rpm
#
# chkconfig: 2345 92 36
#
# description: secure iptables based firewall against all hacker and trojans \
# evtl. change chkconfig Number!
#

# ********************************************************************
#
# File : DOLLARSIGNSource: /cvsroot/ijbswa/current/linfw3.init,v $
#
# Purpose : This shell script takes care of starting and stopping
# linfw3.
#
# Copyright : Written by Gooken
# http://www.gooken.de
#
#
#
# ********************************************************************/


# Source function library.
. /etc/rc.d/init.d/functions

start () {
# start daemon
setfacl -m u:-1:- /* # There is an unnamed (!) process starting from time to time by user so called "-1, root".... listed on the buttom of the listing from ps -aux (gamin, FAM?)
setfacl -m u:-1:- /mnt
setfacl -m u:-1:- /media
setfacl -m u:apache:- /home/user
setfacl -m u:apache:- /home/surfuser
setfacl -m u:apache:- /home/toranonym
setfacl -m u:apache:- /mnt
setfacl -m u:apache:- /media
setfacl -m u:surfuser:- /etc/shadow*
setfacl -m u:toranonym:- /etc/shadow*
setfacl -m u:surfuser:- /etc/fstab*
setfacl -m u:surfuser:- /etc/mtab*
setfacl -m u:surfuser:- /etc/crypttab*
setfacl -m u:toranonym:- /etc/fstab*
setfacl -m u:toranonym:- /etc/mtab*
setfacl -m u:toranonym:- /etc/crypttab*
setfacl -m u:surfuser:- /etc/init.d
setfacl -m u:surfuser:- /etc/init.d/*
setfacl -m u:toranonym:- /etc/init.d
setfacl -m u:toranonym:- /etc/init.d/*
setfacl -m u:surfuser:- /etc/rc0.d
setfacl -m u:surfuser:- /etc/rc1.d
setfacl -m u:surfuser:- /etc/rc2.d
setfacl -m u:surfuser:- /etc/rc3.d
setfacl -m u:surfuser:- /etc/rc4.d
setfacl -m u:surfuser:- /etc/rc5.d
setfacl -m u:surfuser:- /etc/rc6.d
setfacl -m u:surfuser:- /etc/rc.local
setfacl -m u:toranonym:- /etc/rc0.d
setfacl -m u:toranonym:- /etc/rc1.d
setfacl -m u:toranonym:- /etc/rc2.d
setfacl -m u:toranonym:- /etc/rc3.d
setfacl -m u:toranonym:- /etc/rc4.d
setfacl -m u:toranonym:- /etc/rc.local
setfacl -m u:surfuser:- /etc/security/msec
setfacl -m u:surfuser:- /etc/security
setfacl -m u:toranonym:- /etc/security
setfacl -m u:toranonym:- /etc/security/msec
setfacl -m u:surfuser:- /etc/crypttab*
setfacl -m u:surfuser:- /usr/bin/*
setfacl -x surfuser /usr/bin/bash*
setfacl -x surfuser /usr/bin/unshare
setfacl -x surfuser /usr/bin/firejail*
setfacl -x surfuser /usr/bin/firefox*
setfacl -x surfuser /usr/bin/gftp*
setfacl -x surfuser /usr/bin/tor*
setfacl -x surfuser /usr/bin/xauth*
setfacl -x surfuser /usr/bin/xargs*
setfacl -x surfuser /usr/bin/sg*
setfacl -x surfuser /usr/bin/palemoon*
setfacl -x surfuser /usr/bin/export
setfacl -m u:surfuser:- /usr/libexec
setfacl -m u:surfuser:- /usr/sbin
setfacl -m u:surfuser:--x /bin
setfacl -m u:surfuser:- /bin/*
setfacl -m u:surfuser:- /sbin
setfacl -x surfuser /bin/bash*
setfacl -x surfuser /bin/certtool
setfacl -x surfuser /bin/certutil
setfacl -x surfuser /bin/basename
setfacl -x surfuser /bin/bash.old
setfacl -x surfuser /bin/p11tool
setfacl -x surfuser /bin/pk12util
setfacl -x surfuser /bin/smime
setfacl -x surfuser /bin/shlibsign
setfacl -x surfuser /bin/sign*
setfacl -x surfuser /bin/ssltap*
setfacl -m u:surfuser:--x /home/surfuser
setfacl -m u:toranonym:- /home/surfuser
setfacl -m u:surfuser:- /usr/local
setfacl -m u:surfuser:- /opt
setfacl -m u:surfuser:--x /lib64
setfacl -m u:surfuser:--x /usr/lib64
setfacl -m u:surfuser:--x /lib
setfacl -m u:surfuser:--x /usr/lib
setfacl -m u:surfuser:- /misc
setfacl -m u:surfuser:- /net
setfacl -m u:surfuser:- /sid-root
setfacl -m u:surfuser:--x /etc
setfacl -m u:surfuser:- /intel-ucode
setfacl -m u:surfuser:--x /secoff
setfacl -m u:surfuser:- /smack
setfacl -m u:surfuser:- /srv
setfacl -m u:surfuser:- /--tcp-port
setfacl -m u:surfuser:- /initrd
setfacl -m u:surfuser:- /ttf
setfacl -m u:surfuser:- /none
setfacl -m u:surfuser:- /doc
setfacl -m u:surfuser:- /firejail
setfacl -m u:surfuser:- /root
setfacl -m u:surfuser:- /usr/lib64/kde4/*
setfacl -x surfuser /usr/lib64/kde4/libexec
setfacl -m u:surfuser:- /usr/lib64/kde4/libexec/*
setfacl -x surfuser /usr/lib64/kde4/libexec/kdesu*
return
}

case "DOLLARSIGN1" in start)
start
;;
*)
gprintf "Usage: %s {start|stop|restart|status} " "DOLLARSIGNLINFW3_PRG"
exit 1
esac

exit DOLLARSIGNRETVAL

Notice: toranonym is our elder account for tor. Now it´s surfuser too - as general for browsing, but can be used for more privilidges, for many, many processes like for chats or global mapping like marble. surfuser only is enough - just reset belonging setfacl process by process to allow by option -x
Exchange DOLLARSIGN again with the dollar-character... and start it each boot within /etc/rc.local by the command "sh /etc/init.d/dosetfacls start" !


Change File Attributes (chattr) for example for data integrity ( option -i )
man chattr
User-Extended-Attributes must be set for the belonging partitions!

chattr +i -R /boot
chattr +i /etc/hosts*
chattr +i /etc/fstab
chattr +i /home/surfuser/.mozilla
chattr +i /home/surfuser/.mozilla/firefox/*.js
chattr +i /home/surfuser/.mozilla/firefox/profile.default/user.js
chattr +i /home/surfuser/torrc
chattr +i /home/surfuser/geoip*

... und create as described further above the belonging two runlevel-init-scripts (daemons) in /etc/init.d namens rc.local and dosetfacl.
Register those two scripts and active them by default in higher runlevels:

chkconfig --add rc.local && chkconfig --add dosetfacl

Advantage: regardless from packet-installations, significant ACL-access-rights were set each system boot. This keeps the system secure and makes it mouse-click-fast.

Additionally, the grsecurity-patches for the kernel (resp. root-kernel-processes), login-lock /sbin/nologin and password-protection and locking of all system- and user-accounts excecpt surfuser (and maybe a separate toruser), Sandbox Firejail (especially for the lock of the shells/terminals) and Firewall Linfw3 get in use too, beneath Tor resp. the tor-browser with firefox-extensions for script-filtering like ABP, noscript and RequestPolicyBlockContinued and more get in use too.

Set setfacl -m u:surfuser:- /usr/bin/* except for /usr/bin/bash, /usr/bin/firefox, /usr/bin/firejail, /usr/bin/sg, /usr/bin/proftp*, /usr/bin/tor*, /usr/bin/export, /usr/bin/xauth*, /usr/bin/xarg* and all communication programs, surfuser should be able to use.

rsyslog anstelle syslogd
Rsyslog is an enhanced multi-threaded syslogd supporting, among others, MySQL, PostgreSQL, syslog/tcp, RFC 3195, permitted sender lists, filtering on any message part, and fine grain output format control. It is quite compatible to stock sysklogd and can be used as a drop-in replacement. Its advanced features make it suitable for enterprise-class, encryption protected syslog relay chains while at the same time being very easy to setup for the novice user. o lmnet.so - Implementation of network related stuff. o lmregexp.so - Implementation of regexp related stuff. o lmtcpclt.so - This is the implementation of TCP-based syslog clients. o lmtcpsrv.so - Common code for plain TCP based servers. o imtcp.so - This is the implementation of the TCP input module. o imudp.so - This is the implementation of the UDP input module. o imuxsock.so - This is the implementation of the Unix sockets input module. o imklog.so - The kernel log input module for Linux. o immark.so - This is the implementation of the build-in mark message input module. o imfile.so - This is the input module for reading text file data.

You have to delete all *syslog*-init-script-files out of /etc/rc*.d/ and /etc/init.d/ .

/etc/rsyslog.conf
# rsyslog v5 configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####

DollarsignModLoad imuxsock # provides support for local system logging (e.g. via logger command)
Dollarsignimklog # provides kernel logging support (previously done by rklogd)
#DollarsignModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
#DOLLARSIGNModLoad imudp
#DOLLARSIGNUDPServerRun 514
# Provides TCP syslog reception
#DOLLARSIGNModLoad imtcp
#DOLLARSIGNInputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
DOLLARSIGNActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#DOLLARSIGNActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
DOLLARSIGNIncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don´t log private authentication messages!
*.warn;mail.none;news.none;authpriv.none;cron.none /tmp/messages
# The authpriv file has restricted access.
authpriv.* /tmp/secure
# Log all the mail messages in one place.
mail.* -/tmp/maillog
# Log cron stuff
cron.* /tmp/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /tmp/spooler
# Save boot messages also to boot.log
local7.* /tmp/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#DOLLARSIGNWorkDirectory /var/lib/rsyslog # where to place spool files
#DOLLARSIGNActionQueueFileName fwdRule1 # unique name prefix for spool files
#DOLLARSIGNActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#DOLLARSIGNActionQueueSaveOnShutdown on # save messages to disk on shutdown
#DOLLARSIGNActionQueueType LinkedList # run asynchronously
#DOLLARSIGNActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
#
# INN
#
news.=crit /tmp/news/news.crit
news.=err /tmp/news/news.err
news.notice /tmp/news/news.notice
news.=debug /tmp/news/news.debug

/proc/sys/* - Kernel-flags &Co.: detailed configuration
sysctl.conf - variables are files out of /proc/sys
check settings by "sysctl -a"
# Kernel sysctl configuration file
# /etc/sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
# Kernel sysctl configuration file for CentOS and Mandriva Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# /etc/sysctl.conf
# additionally from http://joshrendek.com/2013/01/securing-ubuntu/ resp. http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf
# Turn on execshild
# kernel.exec-shield = 1
# Controls the System Request debugging functionality of the kernel
kernel.sysrq =0
net.ipv6.conf.lo.use_tempaddr = 0
# Disables IP dynaddr
net.ipv4.ip_dynaddr = 1
# Disable ECN
net.ipv4.tcp_ecn = 1
# Controls source route verification
net.ipv4.conf.all.rp_filter =1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_congestion_control=cubic
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq =0
# kernel.modules_disabled=0
# kernel.exec-shield=1
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 0
# If the kptr_restrict value is 0, kernel addresses are provided without limitations (recommended).
# If the kptr_restict value is 1, addresses are provided if the current user has a CAP_SYSLOG
# capability.
# If the kptr_restrict value is 2, the kernel addresses are hidden regardless of privileges the
# current user has.

kernel.kptr_restrict=2
kernel.dmesg_restrict = 1
# kernel.yama.ptrace_scope=3
# If you set this variable to 1 then cd tray will close automatically when the
# cd drive is being accessed.
# Setting this to 1 is not advised when supermount is enabled
# (as it has been known to cause problems)
dev.cdrom.autoclose=1
dev.cdrom.autoeject=1
# removed to fix some digital extraction problems
# dev.cdrom.check_media=1
# to be able to eject via the device eject button (magicdev)
dev.cdrom.lock=0

# Disable netfilter on bridges.
#net.bridge.bridge-nf-call-ip6tables = 0
#net.bridge.bridge-nf-call-iptables = 0
#net.bridge.bridge-nf-call-arptables = 0
net.ipv4.ip_forward =0
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.tcp_max_syn_backlog =512
# Do not accept IP source route packets (we are not a router)
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.shared_media = 0
net.ipv4.conf.eth0.secure_redirects=1
net.ipv4.conf.eth0.shared_media=0

​# Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000
# Increase TCP max buffer size setable using setsockopt()
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
net.ipv6.conf.eth0.disable_ipv6=1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.router_solicitations=0
net.ipv4.tcp_syncookies = 1
net.ipv6.conf.default.accept_ra_rtr_pref=0
net.ipv6.conf.default.accept_ra_pinfo=0
net.ipv6.conf.default.accept_ra_defrtr=0
net.ipv6.conf.default.autoconf=0
net.ipv6.conf.default.dad_transmits=0
net.ipv6.conf.default.max_addresses=0
#
# ls /lib/modules/`uname -r`/kernel/net/ipv4/
# modprobe tcp_htcp
# modprobe tcp_cubic
# modprobe tcp_bbr
# net.core.default_qdisc=sch_fq_codel
net.ipv4.tcp_congestion_control=cubic
# BBR

# net.core.default_qdisc=fq
# net.ipv4.tcp_congestion_control=bbr

# Increase Linux auto tuning TCP buffer limits
# min, default, and max number of bytes to use
# set max to at least 4MB, or higher if you use very high BDP paths
net.core.somaxconn=65535
net.core.optmem_max=25165824
net.core.rmem_max =212992
net.core.wmem_max =212992
net.core.rmem_default =212992
net.core.wmem_default =212992
net.core.netdev_max_backlog = 1000
#
kernel.sysrq = 0
kernel.core_uses_pid = 1
# Optimization for port usefor LBs
# Increase system file descriptor limit
fs.file-max=65535
fs.protected_hardlinks=1
fs.protected_symlinks=1
fs.protected_regular=1
# fs.protected_fifos=1 # this might cause overflow of processes akonadi_maildir: system runs out of capacities
# fs.dir-notify-enable=0
# fs.mount-max=20
fs.suid_dumpable=0
# The kernel allocates aio memory on demand, and this number limits the
# number of parallel aio requests; the only drawback of a larger limit is
# that a malicious guest could issue parallel requests to cause the kernel
# to set aside memory. Set this number at least as large as
# 128 * (number of virtual disks on the host)
# Libvirt uses a default of 1M requests to allow 8k disks, with at most
# 64M of kernel memory if all disks hit an aio request at the same time.
# fs.aio-max-nr = 1048576
# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
kernel.pid_max=65536
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 3294967295
kernel.shmall = 3294967295
kernel.randomize_va_space = 2

net.ipv4.tcp_fin_timeout =3600
net.ipv4.tcp_keepalive_time =7200
net.ipv4.tcp_keepalive_probes =7
net.ipv4.tcp_syn_retries =6
net.ipv4.tcp_retries1 =1
net.ipv4.tcp_retries2 =3
net.ipv4.tcp_retrans_collapse =1
net.ipv4.tcp_sack =1
net.ipv4.ip_default_ttl =64
net.ipv4.ipfrag_time =30
net.ipv4.ip_no_pmtu_disc =0
net.unix.max_dgram_qlen =10
vm.overcommit_memory =2
vm.overcommit_ratio=200
# or: vm.overcommit_kbytes=
vm.page-cluster =3
vm.oom_dump_tasks =0
vm.dirty_ratio=20
vm.dirty_writeback_centisecs=500
vm.dirty_background_ratio=5

kernel.ctrl-alt-del =1
kernel.panic =0
kernel.acct =4 2 30
# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3
kernel.printk =0 6 1 3
kernel.printk_ratelimit = 5 # period to wait in seconds
kernel.printk_ratelimit_burst = 60 # max. amount same time
kernel.shmall =-1
# If the kptr_restrict value is 0, kernel addresses are provided without limitations (recommended).
# If the kptr_restict value is 1, addresses are provided if the current user has a CAP_SYSLOG capability.
# If the kptr_restrict value is 2, the kernel addresses are hidden regardless of privileges the current user has.
kernel.kptr_restrict=2
# ptrace: process tracing
# kernel.yama.ptrace_scope=3
dev.raid.speed_limit_min =1000
dev.raid.speed_limit_max =200000
net.ipv4.conf.all.rp_filter=1
net.ipv4.tcp_window_scaling=1
net.ipv4.tcp_timestamps=0
net.ipv4.conf.all.log_martians=1
net.ipv4.icmp_echo_ignore_all=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.tcp_congestion_control=cubic
net.ipv4.conf.all.secure_redirects=1
net.ipv4.conf.all.shared_media=0
net.ipv4.conf.eth0.secure_redirects=1
net.ipv4.conf.eth0.shared_media=0

# The kernel allocates aio memory on demand, and this number limits the
# number of parallel aio requests; the only drawback of a larger limit is
# that a malicious guest could issue parallel requests to cause the kernel
# to set aside memory. Set this number at least as large as
# 128 * (number of virtual disks on the host)
# Libvirt uses a default of 1M requests to allow 8k disks, with at most
# 64M of kernel memory if all disks hit an aio request at the same time.
# fs.aio-max-nr = 1048576

http://www.linux-admins.net/2010/09/all-you-need-to-know-about-procsys.html
Example for ulimit, ulimit -a and sysctl -a, https://forum.altlinux.org/index.php?topic=4786.0

Link

ln -sf /usr/sbin/sysctl /sbin/sysctl

Test sysctl.conf: sysctl -p /etc/sysctl.conf and activate an error-free sysctl by daemon or in /etc/rc.local

sysctl -p /etc/sysctl.config

Disable Unwanted SUID- and SGID-Binaries
All SUID/SGID bits enabled file can be misused when the SUID/SGID executable has a security problem or bug. All local or remote user can use such file. It is a good idea to find all such files. Use the find command as follows:
#See all set user id files:
find / -perm +4000
# See all group id files
find / -perm +2000
# Or combine both in a single command
find / ( -perm -4000 -o -perm -2000 ) -print
find / -path -prune -o -type f -perm +6000 -ls

You need to investigate each reported file. See reported file man page for further details.
https://www.cyberciti.biz/tips/linux-security.html

User auditing - The Big Brother is watching you
If you are really paranoid you might want to add a system-wide configuration to audit, what the users are doing in your system. This sections presents some tips using diverse utilities you can use.

- Input and output audit with script, 4.11.10.1
- Using the shell history file, 4.11.10.2
- Complete user audit with accounting utilities, 4.11.10.3
- Other user auditing methods, 4.11.10.4
- Reviewing user profiles, 4.11.11
- Limiting what users can see/access, 4.11.13
- Limiting access to other user´s information, 4.11.13.1
- Generating user passwords, 4.11.14
- Checking user passwords

kauditd and auditd: Linux Audit Kernel Subsystem and Linux Audit System
Who does audit the code?
kauditd: internal kernel-auditing, for example of windows-titles out of Firefox online.


Kernel-interner audit-Daemon kauditd: URL, Webseiten-Inhalte: Fentstertitel, ... (online mit Browsern wie Firefox)


"00:00:12 [kauditd] dbadmin 4182 1 4182 0 1 May18 00:02:19 /opt/vertica/spread/sbin/spread -c /home/dbadmin/DatabaseName/v_DatabaseName_node0001_catalog/spread.conf..."
https://forum.vertica.com/discussion/236239/vertica-service-not-starting-after-server-reboot

kauditd is a kernel process, which is a part of the Linux kernel responsible for the kernel audit events (and communicates with the auditd process). The special brackets surrounding it are telling you that this is not a regular (userland) process (launched through a command), but a kernel process (started/managed by the Linux kernel itself)
https://wiki.gentoo.org/wiki/SELinux/Tutorials/The_security_context_of_a_process
The auditd is provided for system auditing. It is responsible for writing audit records to the disk. During startup, the rules in /etc/audit.rules are read by this daemon. You can open /etc/audit.rules file and make changes such as setup audit file log location and other option. With auditd you can answers the following questions:

System startup and shutdown events (reboot / halt).
Date and time of the event.
User respoisble for the event (suh as trying to access /path/to/topsecret.dat file).
Type of event (edit, access, delete, write, update file &commands).
Success or failure of the event.
Records events that modify date and time.
Find out who made changes to modify the system´s network settings.
Record events that modify user/group information.
See who made changes to a file etc.

See our quick tutorial which explains enabling and using the auditd service.
https://www.cyberciti.biz/tips/linux-security.html

kauditd und auditd: Kernel- und Linux Audit System
Who does audit the audit code?

How to use Auditing System in Linux - Configure, Audit Logs and ...
Well, the Linux Auditing system is the answer for all the above questions. The Linux Auditing system allows an administrator to configure audit rules to monitor the system calls, network access, files etc…and generate a summary report – which can be later analyzed and investigated for suspicious activity.
https://techglimpse.com/how-to-use-auditing-system-in-linux-configure-audit-logs-and-generate-reports/

See our quick tutorial which explains enabling and using the auditd service.
https://www.cyberciti.biz/tips/linux-security.html

The Linux audit subsystem is not one of the best-loved parts of the kernel. It allows the creation of a log stream documenting specific system events — system calls, modifications to specific files, actions by processes with certain user IDs, etc. For some, it is an ideal way to get a handle on what is being done on the system and, in particular, to satisfy various requirements for security certifications (Common Criteria, for example). For others, it is an ugly and invasive addition to the kernel that adds maintenance and runtime overhead without adding useful functionality. More recently, though, it seems that audit adds some security holes of its own. But the real problem, perhaps, is that almost nobody actually looks at this code, so bugs can lurk for a long time.
The system call auditing mechanism creates audit log entries in response to system calls; the system administrator can load rules specifying which system calls are to be logged. These rules can include various tests on system call parameters, but there is also a simple bitmask, indexed by system call number, specifying which calls might be of interest. One of the first things done by the audit code is to check the appropriate bit for the current system call to see if it is set; if it is not, there is no auditing work to be done.
[...] In summary, the code is a giant mess. The way it works is nearly incomprehensible. It contains at least one severe bug. I´d love to see it fixed, but for now, distributions seem to think that enabling CONFIG_AUDITSYSCALL is a reasonable thing to do, and I´d argue that it´s actually a terrible choice for anyone who doesn´t actually need syscall audit rules. And I don´t know who needs these things.

It is telling, though, that this particular vulnerability has existed in the audit subsystem almost since its inception. The audit code receives little in the way of review; most kernel developers simply turn it off for their own kernels and look the other way. But this subsystem is just the sort of thing that distributors are almost required to enable in their kernels; some users will want it, so they have to turn it on for everybody. As a result, almost all systems out there have audit enabled (look for a running kauditd thread), even though few of them are using it. These systems take a performance penalty just for having audit enabled, and they are vulnerable to any issues that may be found in the audit code.
If audit were to be implemented today, the developer involved would have to give some serious thought, at least, to using the tracing mechanism. It already has hooks applied in all of the right places, but those hooks have (almost) zero overhead when they are not enabled. Tracing has its own filtering mechanism built in; the addition of BPF-based filters will make that feature more capable and faster as well. In a sense, the audit subsystem contains yet another kernel-based virtual machine that makes decisions about which events to log; using the tracing infrastructure would allow the removal of that code and a consolidation to a single virtual machine that is more widely maintained and reviewed.
The audit system we have, though, predates the tracing subsystem, so it could not have been based on tracing. Replacing it without breaking users would not be a trivial job, even in the absence of snags that have been glossed over in the above paragraph (and such snags certainly exist). So we are likely stuck with the current audit subsystem (which will certainly not be marked "broken" in the mainline kernel) for the foreseeable future. Hopefully it will receive some auditing of its own just in case there are more old surprises lurking therein.
Posted May 30, 2014 6:50 UTC (Fri) by bnorris (subscriber, #92090) [Link]
&g; As a result, almost all systems out there have audit enabled

DOLLARSIGN grep CONFIG_AUDIT /boot/config-´uname -r´
CONFIG_AUDIT_ARCH=y
CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_WATCH=y
CONFIG_AUDIT_TREE=y

( You might want to comment them in ... )

> (look for a running kauditd thread)
None here.
&g; even though few of them are using it. These systems take a performance penalty just for having audit enabled, and they are vulnerable to any issues that may be found in the audit code.
I´m not an expert on the kaudit subsystem (in fact, I just learned of it), but it looks like kauditd is only spawned in response to a user-space request for it (e.g. from SELinux auditd). See kernel/audit.c:...
https://lwn.net/Articles/600568/ man auditd
man auditd.conf

Disable auditd temporarily (this will disable logging instantly but will not survive a reboot):


auditctl -e0 # for example within /etc/rc.local

Disable auditd permanently (this will require a reboot):

systemctl disable auditd

http://kb.ictbanking.net/article.php?id=632

kauditd - CentOS | Forum
kauditd. General support questions including new installations. How to disable kauditd? I tried to put audit=0 to the kernel line in grub, but no luck....
www.centos.org/forums/viewtopic.php?t=10899

kauditd might care for connection even with SELinux from NSA. So why did he had no luck with it? Boot-parameter "audit=0" (for grub: within /boot/grub/menu.lst) does prevent from kernel audit named kauditd ever starting: no auditing like firefox by the kernel anymore!

Disable the OOM Killer (process oom_reaper), The Ubuntu Forum Community, Ubuntu Specialised Support, January 2nd, 2014
As the title suggests, regardless of the repercussions, how do you disable this "feature".
Please do not provide alternate suggestions such as "get more ram" or "tell the program to use less memory".
I´m running a Minecraft server that has its heap space and permgen configured to use nearly all of the available memory on the vps where it resides. I have a highly specific reason for doing this and no, it has never caused me any problems in the past.

Yes the OOM Killer is killing the process see: OOM killed process 659 (java) vm:4973220kB, rss:2066504kB, swap:0kB
Who ever thought killing processes that are consuming beyond a specific amount of memory was a good idea, you have caused me and, the users of my server immeasurable levels of frustration. I am no Linux guru, so any help would be appreciated so long as that help reads "To disable the oom-killer do X".
Thank you in advance.

Re: Disable the OOM Killer http://thetechnick.blogspot.com/2010...-on-linux.html http://www.oracle.com/technetwork/ar...r-1911807.html The OOM killer can be completely disabled with the following command. This is not recommended for production environments, because if an out-of-memory condition does present itself, there could be unexpected behavior depending on the available system resources and configuration. This unexpected behavior could be anything from a kernel panic to a hang depending on the resources available to the kernel at the time of the OOM condition.

sysctl vm.overcommit_memory=2 # mouseclick-fast echo "vm.overcommit_memory=2" >> /etc/sysctl.conf

[...] Re: Disable the OOM Killer
Hi, Psionic,
I was having the same difficulties. You report that the oom-killer is still killing your process, I suggest either properly fully disabling the oom-killer or lowering the overcommit ratio, as follows:

Disabling OOM Killer
According to: https://www.kernel.org/doc/Documenta...ups/memory.txt
Code:

You can disable the OOM-killer by writing "1" to memory.oom_control file, as:

# echo 1 > memory.oom_control # (unknown variable by sysctl, remark, Gooken)

Reducing Overcommit Ratio
According to https://www.kernel.org/doc/Documenta...mit-accounting
Code:

2 - Don´t overcommit. The total address space commit for the system is not permitted to exceed swap + a configurable amount (default is 50%) of physical RAM.
Depending on the amount you use, in most situations this means a process will not be killed while accessing pages but will receive errors on memory allocation as appropriate.
Useful for applications that want to guarantee their memory allocations will be available in the future without having to initialize every page.
The overcommit policy is set via the sysctl ´vm.overcommit_memory´.
The overcommit amount can be set via ´vm.overcommit_ratio´ (percentage) or ´vm.overcommit_kbytes´ (absolute value).
There´s a rather good article on this topic http://www.linuxdevcenter.com/pub/a/...ry.html?page=1
Of course, in general if you´re getting processes killed it means there´s a problem with using more memory than the system can cope with, and the symptoms are very likely to come out somewhere else. In my case the oom-killer was definitely picking the right process, even though it was the primary purpose of the whole computer: the program had a data-dependent bug and was allocating memory out of control.
I hope that helps.
Kind regards,
...
https://serverfault.com/questions/606185/how-does-vm-overcommit-memory-work

More about oom_reaper
ttps://stackoverflow.com/questions/35791416/how-to-disable-the-oom-killer-in-linux
https://lwn.net/Articles/666024/
https://lwn.net/Articles/668126/
https://code.woboq.org/linux/linux/mm/oom_kill.c.html
https://www.oracle.com/technical-resources/articles/it-infrastructure/dev-oom-killer.html
https://superuser.com/q/1150215
https://ubuntuforums.org/showthread.php?t=2197016
https://askubuntu.com/q/1188024
https://unix.stackexchange.com/q/432171
https://blog.csdn.net/s_lisheng/article/details/82192613

rtkit-daemon (rpm rtkit)
Description: "RealtimeKit is a D-Bus system service that changes the scheduling policy of user processes/threads to SCHED_RR (i.e. realtime scheduling mode) on request. It is intended to be used as a secure mechanism to allow real-time scheduling to be used by normal user processes.".
https://fr2.rpmfind.net/
"I´s...a management daemon so to say. Instead of applications asking the kernel directly (and needing proper permissions for this, usually root) they ask the daemon. The daemon can hand out the realtime permissions then according it its configuration (/etc/dbus-1/system.d/org.freedesktop.RealtimeKit1.conf). It´s simply a helper process that allows applications to ask for realtime permissions through dbus...not really much more. But having such a helper process makes the whole procedure much more secure (no suid root needed for some programs), cleaner (dbus interface) and more flexible (one daemon to configure, not each program with an own configuration..if at all)."

For rtkit isn´t almost needed, as we got told in the internet above, and there are no real dependencies from it, it´ might not be a bad idea to deinstall it:

"rpm -e --nodeps rtkit"

... same eventually with Packagekit (el6), gvfsd (gvfs (el6) and so on: just deinstall them! The less (not really needed daemons do run under root, the more secure the system might behave...

netns, migration/0, kintgerityd, oom_reaper, ... ( one of them lists the actual website-title!)
Kernel-daemons almost can´t get deactivated manually! This might be possible by removing some (not needed) kernel-modules by rmmod, delmod or kernel-configuration only (within file .config).

netns
Running strongSwan in Network Namespaces (netns) on Linux
Normally, the network stack (interfaces, routing tables, firewall rules etc.) is shared by all processes running on an operating system. With Linux network namespaces (netns) it´s possible to have multiple separate instances of the network stack.
Note: While basic support for network namespaces was added to the Linux kernel a long time ago, some features (e.g. CLUSTERIP support) might require a recent kernel.
The easiest way to work with network namespaces is to use the ip command of the iproute2 package. These commands will have to be executed as root (i.e. with sudo on most distros).
Network Namespace Basics
To create a new netns use the following command:

# ip netns add <network namespace name>

A list of all currently defined netns is provided by ip netns list.

Interfaces can be assigned to a netns with the ip link command:

# ip link set <interface name> netns <netns name>

If you run ip link list afterwards such an interface won´t be seen as it is only available in the configured netns.

So to actually list the interface in a specific netns it´s required to be able to run commands in a specific netns. This can be done with the ip netns exec command. So to get a list of interfaces defined in a specific netns use:

# ip netns exec <netns name> ip link list

If only one physical interface is available, or if you don´t want to assign physical interfaces to the netns for other reasons, it´s possible to create virtual Ethernet interface pairs (veth, provided via CONFIG_VETH). These are like a bi-directional pipe (i.e. what´s written to one end comes out the other and vice-versa) of which one end is placed inside the netns and the other stays outside in the "default" or "global" namespace.

To create such a pair use:

# ip link add <interface name 1> type veth peer name <interface name 2>

This creates two connected Enthernet interfaces with the given names. One is assigned to a netns (via ip link) the other is not (it doesn´t matter which one and it´s also possible to assign both interfaces to two different netns to connect them). How the outer interface is used depends on the use case, it may be put inside a bridge, or used in routing rules to route traffic to and from a netns.

Since interfaces assigned to a netns are disabled they have to be enabled first, and they will probably also require an IP address, which can be done with:

# ip netns exec <netns name> ip addr add x.x.x.x/x dev <iface name>
# ip netns exec <netns name> ip link set dev <iface name> up

Similar to these commands routes or firewall rules may be added by running ip route or iptables inside a specific netns via ip netns exec <command>.

Running a single instance of strongSwan inside a netns is straight-forward. Simply run ipsec commands via ip netns exec ipsec <command>.
But more interesting is probably running multiple instances of strongSwan in separate namespaces. Because all netns share the same file system this is a bit tricky.
Luckily, the ip netns exec command provides a helpful feature: Every file found in /etc/netns/<name>/ for a given netns is bind mounted over its corresponding counterpart in /etc (so it has to exist there). This can be used to provide different config files for each instance, but may also be used to redirect the so called piddir, where the charon and starter daemons create their PID files and UNIX sockets (the default is to use /var/run, which would conflict if multiple instances would use it).
To do so make sure strongSwan is configured with --sysconfdir=/etc and e.g. --with-piddir=/etc/ipsec.d/run. Then after building and installing strongSwan the piddirs can be created as follows:

# mkdir -p /etc/ipsec.d/run
# mkdir -p /etc/netns/<netns name 1>/ipsec.d/run
# mkdir -p /etc/netns/<netns name 2>/ipsec.d/run
https://wiki.strongswan.org/projects/strongswan/wiki/Netns

StrongSwan is an OpenSource IPsec-based VPN Solution for Linux * runs both on Linux 2.4 (KLIPS IPsec) and Linux 2.6 (NETKEY IPsec) kernels * implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols * Fully tested support of IPv6 IPsec tunnel and transport connections * Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555) * Automatic insertion and deletion of IPsec-policy-based firewall rules * Strong 128/192/256 bit AES or Camellia encryption, 3DES support * NAT-Traversal via UDP encapsulation and port floating (RFC 3947) * Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels * Static virtual IPs and IKEv1 ModeConfig pull and push modes * XAUTH server and client functionality on top of IKEv1 Main Mode authentication * Virtual IP address pool managed by IKE daemon or SQL database * Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.) * Optional relaying of EAP messages to AAA server via EAP-RADIUS plugin * Support of IKEv2 Multiple Authentication Exchanges (RFC 4739) * Authentication based on X.509 certificates or preshared keys * Generation of a default self-signed certificate during first strongSwan startup * Retrieval and local caching of Certificate Revocation Lists via HTTP or LDAP * Full support of the Online Certificate Status Protocol (OCSP, RCF 2560). * CA management (OCSP and CRL URIs, default LDAP server) * Powerful IPsec policies based on wildcards or intermediate CAs * Group policies based on X.509 attribute certificates (RFC 3281) * Storage of RSA private keys and certificates on a smartcard (PKCS #11 interface) * Modular plugins for crypto algorithms and relational database interfaces * Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869) * Optional built-in integrity and crypto tests for plugins and libraries * Smooth Linux desktop integration via the strongSwan NetworkManager applet This package triggers the installation of both, IKEv1 and IKEv2 daemons.
https://fr2.rpmfind.net

Block network access of a process, unix.stackexchange.com
It is possible to block the (outgoing) network access of a single process in different ways: by unshare / nsenter, ip-netns, iptables, apparmor and firejail.
https://unix.stackexchange.com/questions/68956/block-network-access-of-a-process

Notice: We use right above mentioned command "unshare" for starting firejail (for sandboxing firefox (including for example libtrace.so of different file-sizes the versions) by the command "unshare firejail..." etc)., psad (/etc/init.d/psad: prog="unshare psad"), uuidd (/etc/init.d/uuidd with prog="unshare uuidd" and "daemon.... unshare DOLLARSIGNDAEMON" within the start-function, apparmor-dbus out of /etc/rc.local, messagebus (/etc/init.d/messagebus with processname="unshare dbus-daemon", dbus), gpm (/etc/init.d/gpm with "daemon "unshare /usr/sbin/gpm" -m ... ), cups (/etc/init.d/cups with "daemon "unshare cups" ...), dm (again in /etc/init.d/dm), X (X11, ServerCmd=/usr/bin/unshare /usr/bin/X within (resp., to be more concrete, follow the linking of) /usr/share/config/kdm/kdmrc: enhance the command for execution of X with unshare: "ServerCmd=/usr/bin/unshare /usr/bin/X"), kdm (/usr/share/config/kdm/kdmrc with "Preloader=/usr/bin/unshare /usr/bin/preloadkde", haldaemon (/etc/init.d/haldaemon), udevd (in /sbin/start_udev with "else /usr/bin/unshare /sbin/udevd -d ..."), polkitd (/etc/xdg/polkit-gnome-authentification-agent-1.desktop: "exec=unshare /usr/libexec/polkit-gnome-authentication-agent-1" and /etc/xdg-polkit-kde-authentification-agent-1.desktop: "exec=unshare /usr/libexec/polkit-kde-authentification-agent-1 ), konsole and xterm, dolphin, drakconf.real resp. drakconf (MCC), network-ready-games like gl-117, trackballs, extremetuxracer, marsshooter, freedroidrpg, orbital, xonotic etc. in future (do them all just to be careful)! Some kernel-modules like for usblp for USB-printer by unshare (for example in /etc/rc.loca): unshare COMMA-ABOVE-FOR-EXECUTIONmodprobe usblpCOMMA-ABOVE-FOR-EXECUTION, graphic-card (just experimentel): unshare COMMA-ABOVE-FOR-EXECUTIONi915COMMA-ABOVE-FOR-EXECUTION, mainboard (just experimentel!): unshare COMMA-ABOVE-FOR-EXECUTIONlpc_ichCOMMA-ABOVE-FOR-EXECUTION, (less experimentel): unshare COMMA...modprobe videoCOMMA..., but still NOT functioning are those "unshared" ones for internal kernel-processs like kernel-daemon netns (/etc/rc.local): "unshare --net --mount -p pidof netns", oom_reaper (/etc/rc.local): "unshare --net --mount -p pidof oom_reaper", migration/0 (/etc/rc.local): "unshare --net --mount -p pidof migration/0". Also try firejail for a sandboxed network namespace by option net, netfilter, join-network=name|pid and netns, see man firejai, section join-network for good examples also doing fine with Linfw3 (through iptables-restore and iptables-save) or try slirp4netns (OpenSuSE 15.2).

Gooken does not want to say something wrong, but especially hardening the root- and suid-processes by unshare makes the computer secure (as quit all remaining riscs do depend from kernel-processes now) and, as we, believe it or not, really meant having recognized, very mouseclick-fast too!

watchdogd: How can I disable a watchdog, once it has been enabled?
Normally to shut down the watchdog driver you have to write a ´V´ character to /dev/watchdog which you could do from a root bash prompt just with:

echo ´V´ > /dev/watchdog

However, before you try to create your own watchdog driver take a look at the existing Linux watchdog daemon to see, if it can do the job. A good start is my page here: http://www.sat.dundee.ac.uk/~psc/watchdog/Linux-Watchdog.html
https://unix.stackexchange.com/questions/144588/how-can-i-disable-a-watchdog-once-it-has-been-enabled Increase kernel integrity with disabled Linux kernel modules loading
Increasing Linux kernel integrity
Disable loading kernel module on Linux systems, linux-audit.com
The Linux kernel can be configured to disallow loading new kernel modules. This feature is especially useful for high secure systems, or if you care about securing your system to the fullest. In this article, we will have a look at the configuration of this option. At the same time allowing legitimate kernel modules to be loaded.
Disable kernel modules
Newer kernel modules have a sysctl variable named kernel.modules_disabled.
Sysctl is the tool which allows you to see and change kernel settings of a running system. The related /etc/sysctl.conf file is used to ensure that your settings are also used at the next boot of the system.
The sysctl key kernel.modules_disabled is very straightforward. If it contains a "1" it will disable loading new modules, where a"0" will still allow loading them.
Using this option will be a great protection against loading malicious kernel modules. For example, it may help to counter rootkits. Needless to say, but when someone was already been able to gain root access, you have a serious problem. Still, setting this security measure can be useful to achieve maximum hardening of your Linux system. An altered script or program has no chance of loading things you didn’t specifically approve.
[...] By default, the sysctl key is set to"0", which means new modules can be loaded. This is a safe default for systems but also allows malicious modules to be loaded.

# sysctl -a | grep modules
kernel.modules_disabled = 0

Now we disable loading new modules, by using the sysctl key and set it to"1". There are two ways of doing it, using sysctl directly or echo the value to a file on the pseudo file system /proc, which holds the kernel settings.

# echo 1 > /proc/sys/kernel/modules_disabled

Protection against re-enabling
You might think that loading a kernel module is as simple as re-enabling the option and then still load your kernel module. The kernel has a built-in protection, to avoid this from happening. Trying to set the value back to"0" will result in an"invalid argument" message.
Sysctl showing invalid argument when trying to set value
As can be seen, sysctl will say the value is set to"0". However, the value isn’t applied, as this key is read-only. Slightly confusing, and therefore always good to check the value again.

# sysctl kernel.modules_disabled
kernel.modules_disabled = 1

As expected, the value is still set to"1".
Disable module loading after boot time

By configuring the /etc/sysctl.conf file we can disallow the loading of kernel modules at boot time. Simply add the related line, with the value"1" as shown in the example. Caveat: Things might break
Depending on your environment, you might be careful with using this option. It may be working very well on servers, but not on desktop systems. The reason is the type of usage is different, especially when it comes with loading new kernel modules. For example inserting a USB drive, mouse or network functionality might break. So before deploying the option, make sure you test these common use cases.
Hybrid option
Instead of enabling the option directly via /etc/sysctl.conf, it might be better to activate this setting after booting and loading required modules.
Your startup script could be looking like

#!/bin/sh/ # code by Gooken
sleep 45 # original text: 300; decrease this time, if usb and all modules are working fine, if not, test checkout lsmod and increase it
# insmod <module>
# insmod <module>
modprobe usb_storage
modprobe vfat
modprobe fat
modprobe nls_iso8859_1
modprobe nls_cp437
modprobe cryto_simd
modprobe glue_helper
modprobe dax
modprobe uinput
modprobe ahci
modprobe libahci
modprobe ecb
modprobe af_alg
modprobe algif_skcipher
modprobe lrw
modprobe gf182mul
modprobe cbc
modprobe aes_x86_64 # for USB, that might be LUKS-encrypted
modprobe twofish_common
modprobe twofish_x86_64_3way
modprobe twofish_x86_64
modprobe twofish_generic
echo 1 > /proc/sys/kernel/modules_disabled

Usually to get iptables working, these are the related modules: iptables, x_tables, iptable_filter.
Depending on your Linux distribution, the startup should be loaded as late as possible. If you have /etc/rc.local available, that is usually a safe bet.
Do you use this option already? Or found some other caveats? Like to hear your feedback in the comments.
https://linux-audit.com/increase-kernel-integrity-with-disabled-linux-kernel-modules-loading/

In other words: write the small routine from above into a runlevel-init-script (for example this of /etc/init.d/linfw3 renamed to /etc/init.d/modules-disabled) right into the start function, where it is executed by the command start & (and not just the command "start") in the background. Before this is done, remove all code not needed anymore from this script. Now the script itself is executed not as usual by chkconfig, ntsysv7, the MCC (drakconf) or systemd, but only out of /etc/rc.local by the command "sh /etc/init.d/modules-disabled start".

kernel.printk.* in /etc/sysctl.conf
kernel.printk =0 6 7 0 # The four values in printk denote: console_loglevel, default_message_loglevel, minimum_console_loglevel and default_console_loglevel respectively.
0=emerg, 1=alert, 2=crit, ...
kernel.printk_ratelimit = 5 # period to wait in seconds
kernel.printk_ratelimit_burst = 60 # max. amount same time
https://unix.stackexchange.com/questions/13019/description-of-kernel-printk-values

Regelmäßig Logs analysieren
Speichere logs in vorgesehene Log-Server. Damit wird verhindert, dass Eindringlinge auf einfache Art Modifikationen an Log-Dateien vornehmen. Hier noch einmal namentlich die in Linux üblichen Log-Dateien und ihre Verwendung:

/var/log/message - Hier protokolliert mehr oder weniger das gesamte System
/var/log/auth.log - Authentifizierung
/var/log/kern.log - Kernel-Logs.
/var/log/cron.log - Crond-Logs (cron job).
/var/log/maillog - Mailserver-Logs
/var/log/boot.log - System-boot-Log
/var/log/mysqld.log - Logdatei des MySQL-Datenbankservers
/var/log/secure - Authentifizierung
/var/log/utmp oder /var/log/wtmp : Protokolliert die records-Dateien
/var/log/yum.log: Yum-Logdatei
https://www.tecmint.com/linux-server-hardening-security-tips/

Prevent too informative system information in logfiles
The system-log-level reach from debug over info, warning up to emerg. A detailed protocolling is something to think about, they can be read out by users as much as processes. For outputs of dmesg log-level "warning" might restrict delivered protocol-information:

/etc/init.d/rklogd
RKLOGD_OPTIONS="-c 4"

Using and customizing logcheck
The logcheck package in Debian is divided into the three packages logcheck (the main program), logcheck-database (a database of regular expressions for the program) and logtail (prints loglines that have not yet been read). The Debian default (in /etc/cron.d/logcheck) is that logcheck is run every hour and after reboots.
This tool can be quite useful if properly customized to alert the administrator of unusual system events. Logcheck can be fully customized so that it sends mails based on events found in the logs and worthy of attention. The default installation includes profiles for ignored events and policy violations for three different setups (workstation, server and paranoid). The Debian package includes a configuration file /etc/logcheck/logcheck.conf, sourced by the program, that defines which user the checks are sent to. It also provides a way for packages that provide services to implement new policies in the directories: /etc/logcheck/cracking.d/_packagename_, /etc/logcheck/violations.d/_packagename_, /etc/logcheck/violations.ignore.d/_packagename_, /etc/logcheck/ignore.d.paranoid/_packagename_, /etc/logcheck/ignore.d.server/_packagename_, and /etc/logcheck/ignore.d.workstation/_packagename_. However, not many packages currently do so. If you have a policy that can be useful for other users, please send it as a bug report for the appropriate package (as a wishlist bug). For more information read /usr/share/doc/logcheck/README.Debian.
The best way to configure logcheck is to edit its main configuration file /etc/logcheck/logcheck.conf after installation. Change the default user (root) to whom reports should be mailed. You should set the reportlevel in there, too. logcheck-database has three report levels of increasing verbosity: workstation, server, paranoid. "server" being the default level, paranoid is only recommended for high-security machines running as few services as possible and workstation for relatively sheltered, non-critical machines. If you wish to add new log files just add them to /etc/logcheck/logcheck.logfiles. It is tuned for default syslog install.
Once this is done you might want to check the mails that are sent, for the first few days/weeks/months. If you find you are sent messages you do not wish to receive, just add the regular expressions (see regex(7) and egrep(1)) that correspond to these messages to the /etc/logcheck/ignore.d.reportlevel/local. Try to match the whole logline. Details on howto write rules are explained in /usr/share/doc/logcheck-database/README.logcheck-database.gz. It´s an ongoing tuning process; once the messages that are sent are always relevant you can consider the tuning finished. Note that if logcheck does not find anything relevant in your system it will not mail you even if it does run (so you might get a mail only once a week, if you are lucky).

Configure, where alerts are sent
Debian comes with a standard syslog configuration (in /etc/syslog.conf) that logs messages to the appropriate files depending on the system facility. You should be familiar with this; have a look at the syslog.conf file and the documentation if not. If you intend to maintain a secure system you should be aware of where log messages are sent so they do not go unnoticed.
For example, sending messages to the console also is an interesting setup useful for many production-level systems. But for many such systems it is also important to add a new machine that will serve as loghost (i.e. it receives logs from all other systems).
Root´s mail should be considered also, many security controls (like snort) send alerts to root´s mailbox. This mailbox usually points to the first user created in the system (check /etc/aliases). Take care to send root´s mail to some place where it will be read (either locally or remotely).
There are other role accounts and aliases on your system. On a small system, it´s probably simplest to make sure that all such aliases point to the root account, and that mail to root is forwarded to the system administrator´s personal mailbox.

Firefox: Copy the secure libssl*, libnss* and libnspr4* of tor-Browser (ESR) or out of an actual Firefox like 63 to Firefox (ESR, same version as tor-browser) into /usr/lib64/firefox/ followed by chown root:root and chmod 755 upon them.

Protecting against ARP-attacks
When you don´t trust the other boxes on your LAN (which should always be the case, because it´s the safest attitude) you should protect yourself from the various existing ARP attacks.
As you know the ARP protocol is used to link IP addresses to MAC addresses (see RFC826 for all the details). Every time you send a packet to an IP address an ARP resolution is done (first by looking into the local ARP cache then, if the IP isn´t present, in the cache by broadcasting an ARP query) to find the target´s hardware address. All the ARP attacks aim to fool your box into thinking, that box B´s IP address is associated to the intruder´s box´s MAC address; Then every packet that you want to send to the IP associated to box B will be send to the intruder´s box...
Those attacks (ARP cache poisoning, ARP spoofing...) allow the attacker to sniff the traffic even on switched networks, to easily hijack connections, to disconnect any host from the network... ARP attacks are powerful and simple to implement, and several tools exists, such as arpspoof from the dsniff package or arpoison.
However, there is always a solution:

Use a static ARP cache. You can set up "static" entries in your ARP cache with:

arp -s host_name hdwr_addr

By setting static entries for each important host in your network you ensure that nobody will create/modify a (fake) entry for these hosts (static entries don´t expire and can´t be modified) and spoofed ARP replies will be ignored. Detect suspicious ARP traffic. You can use arpwatch, karpski or more general IDS that can also detect suspicious ARP traffic (snort, prelude...).
Implement IP traffic filtering validating the MAC address.

Secure up services running on your system
SSH, Squid, FTP, X-Window-System, Display-Manager, Druckerzugriff, Mail-Dienst, BIND, Apache, Finger, chroot- and suid-paranoia, Cleartext-passwort-paranoia, deactivating NIS, deactivating RPC-services:
https://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.de.html

Package signing
https://www.debian.org/doc/manuals/securing-debian-howto/ch7.de.html

Remote vulnerability assessment tools
The tools provided by Debian to perform remote vulnerability assessment are:

nessus, raccess, nikto (whisker´s replacement)

By far, the most complete and up-to-date tools is nessus which is composed of a client (nessus) used as a GUI and a server (nessusd) which launches the programmed attacks. Nessus includes remote vulnerabilities for quite a number of systems including network appliances, ftp servers, www servers, etc. The latest security plugins are able even to parse a web site and try to discover which interactive pages are available which could be attacked. There are also Java and Win32 clients (not included in Debian) which can be used to contact the management server.

Network scanner tools
Debian does provide some tools used for remote scanning of hosts (but not vulnerability assessment). These tools are, in some cases, used by vulnerability assessment scanners as the first type of "attack" run against remote hosts in an attempt to determine remote services available. Currently Debian provides:

nmap, xprobe, p0f, knocker, isic, hping2, icmpush, nbtscan (for SMB /NetBIOS audits), fragrouter, strobe (in the netdiag package), irpas

While xprobe provide only remote operating system detection (using TCP/IP fingerprinting, nmap and knocker do both operating system detection and port scanning of the remote hosts. On the other hand, hping2 and icmpush can be used for remote ICMP attack techniques.
Designed specifically for SMB networks, nbtscan can be used to scan IP networks and retrieve name information from SMB-enabled servers, including: usernames, network names, MAC addresses...
On the other hand, fragrouter can be used to test network intrusion detection systems and see if the NIDS can be eluded by fragmentation attacks.

Virtual Private Networks
A virtual private network (VPN) is a group of two or more computer systems, typically connected to a private network with limited public network access, that communicate securely over a public network. VPNs may connect a single computer to a private network (client-server), or a remote LAN to a private network (server-server). VPNs often include the use of encryption, strong authentication of remote users or hosts, and methods for hiding the private network´s topology.
Debian provides quite a few packages to set up encrypted virtual private networks:

vtun, tunnelv (non-US section), cipe-source, cipe-common, tinc, secvpn, pptpd, openvpn, openswan (http://www.openswan.org/)

The OpenSWAN package is probably the best choice overall, since it promises to interoperate with almost anything that uses the IP security protocol, IPsec (RFC 2411). However, the other packages listed above can also help you get a secure tunnel up in a hurry. The point to point tunneling protocol (PPTP) is a proprietary Microsoft protocol for VPN. It is supported under Linux, but is known to have serious security issues.
For more information see the VPN-Masquerade HOWTO (covers IPsec and PPTP), VPN HOWTO (covers PPP over SSH), Cipe mini-HOWTO, and PPP and SSH mini-HOWTO.
Also worth checking out is Yavipin, but no Debian packages seem to be available yet.

Reaction in the case of user-idle-state, https://wiki.centos.org/HowTos/OS_Protection
Now that we´ve restricted the login options for the server, lets kick off all the idle folks. To do this, we´re going to use a bash variable in /etc/profile. There are some reasonably trivial ways around this of course, but it´s all about layering the security.

echo "Idle users will be removed after 15 minutes"
echo "readonly TMOUT=900" >> /etc/profile.d/os-security.sh
echo "readonly HISTFILE" >> /etc/profile.d/os-security.sh
chmod +x /etc/profile.d/os-security.sh

Restrictions for cron and at, https://wiki.centos.org/HowTos/OS_Protection
In some cases, administrators may want the root user or other trusted users to be able to run cronjobs or timed scripts with at. In order to lock these down, you will need to create a cron.deny and at.deny file inside /etc with the names of all blocked users. An easy way to do this is to parse /etc/passwd. The script below will do this for you.

echo "Locking down Cron"
touch /etc/cron.allow
chmod 600 /etc/cron.allow
awk -F: ´{print DOLLARSIGN1}´ /etc/passwd | grep -v root > /etc/cron.deny
echo "Locking down AT"
touch /etc/at.allow
chmod 600 /etc/at.allow
awk -F: ´{print DOLLARSIGN1}´ /etc/passwd | grep -v root > /etc/at.deny

Lockdown Cronjobs
Cron has it´s own built in feature, where it allows to specify who may, and who may not want to run jobs. This is controlled by the use of files called /etc/cron.allow and /etc/cron.deny. To lock a user using cron, simply add user names in cron.deny and to allow a user to run cron add in cron.allow file. If you would like to disable all users from using cron, add the ´ALL´ line to cron.deny file.

# echo ALL >>/etc/cron.deny
Cron Scheduling Examples in Linux: https://www.tecmint.com/11-cron-scheduling-task-examples-in-linux/
https://www.tecmint.com/linux-server-hardening-security-tips/

Sysctl Security, https://wiki.centos.org/HowTos/OS_Protection
Next we need to have a look inside /etc/sysctl.conf and make some basic changes. If these lines exist, modify them to match below. If they don´t exist, simply add them in. If you have multiple network interfaces on the server, some of these may cause issues. Test these before you put them into production. If you want to know more about any of these options, install the kernel-doc package, and look in Documentation/networking/ip-sysctl.txt

# Kernel sysctl configuration file
# /etc/sysctl.conf
# test with sysctl -p /etc/sysctl.conf
# additionally from http://joshrendek.com/2013/01/securing-ubuntu/ resp. http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf # Turn on execshild
# kernel.exec-shield = 1
# Controls the System Request debugging functionality of the kernel kernel.sysrq =0 # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 0 kernel.dmesg_restrict = 1
kernel.randomize_va_space = 1
kernel.ctrl-alt-del =1
kernel.panic =0
kernel.acct =4 2 30
kernel.printk =4
kernel.shmall =-1
kernel.shmmax =134217728
# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
kernel.pid_max = 65536
kernel.printk_ratelimit = 5 # period to wait in seconds
kernel.printk_ratelimit_burst = 60 # max. amount same time
vm.overcommit_memory=2 # mouseclick-fast
vm.overcommit_ratio=150 # 4 GB RAM + 2 GB SWAP, mouseclick-fast
# or: vm.overcommit_kbytes=
vm.page-cluster =3
vm.oom_dump_tasks =0
dev.raid.speed_limit_min =1000
dev.raid.speed_limit_max =200000
# Optimization for port usefor LBs
# Increase system file descriptor limit
fs.file-max = 65535
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.tcp_max_syn_backlog = 1280
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_fin_timeout =3600
net.ipv4.tcp_keepalive_time =7200
net.ipv4.tcp_keepalive_probes =7
net.ipv4.tcp_syn_retries =6
net.ipv4.tcp_retries1 =1
net.ipv4.tcp_retries2 =3
net.ipv4.tcp_retrans_collapse =1
net.ipv4.tcp_sack =1
net.ipv4.ip_default_ttl =64
net.ipv4.ipfrag_time =30
net.ipv4.ip_no_pmtu_disc =0
net.unix.max_dgram_qlen =10
# Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000
# Increase TCP max buffer size setable using setsockopt()
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
net.ipv6.conf.eth0.disable_ipv6=1
# Tune IPv6
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 0
# Increase Linux auto tuning TCP buffer limits
# min, default, and max number of bytes to use
# set max to at least 4MB, or higher if you use very high BDP paths
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
# net.core.default_qdisc=sch_fq_codel
net.ipv4.tcp_congestion_control=cubic
# BBR # net.core.default_qdisc=fq # net.ipv4.tcp_congestion_control=bbr # If you set this variable to 1 then cd tray will close automatically when the
# cd drive is being accessed.
# Setting this to 1 is not advised when supermount is enabled
# (as it has been known to cause problems)
dev.cdrom.autoclose=1
# removed to fix some digital extraction problems
# dev.cdrom.check_media=1
# to be able to eject via the device eject button (magicdev)
dev.cdrom.lock=0


#
# BBR - Netwerkturbo für Linux
# Die neue Flusskontrolle erscheint aber auch ideal für Server im lokalen Netzwerk, die hin und wieder die Netzwerkbandbreite voll ausschöpfen sollen, etwa bei der Übertragung großer Dateien bei NAS-Geräten, Nextcloud- oder # Streamingservern.
# https://www.pcwelt.de/ratgeber/BBR-Netzwerkturbo-fuer-Linux-im-Ueberblick-10612165.html # net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
# Increase Linux auto tuning TCP buffer limits
# min, default, and max number of bytes to use
# set max to at least 4MB, or higher if you use very high BDP paths
net.core.rmem_max =212992
net.core.wmem_max =212992
net.core.netdev_max_backlog = 5000
#
kernel.sysrq = 0
kernel.core_uses_pid = 1
fs.file-max=65535
kernel.pid_max=65536
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 134217728
kernel.shmall = 4294967296
kernel.randomize_va_space = 2
net.ipv4.tcp_window_scaling=1
net.ipv4.tcp_timestamps=0
net.ipv4.conf.all.log_martians=1# sysctl.conf(5) for more details.
net.ipv6.conf.lo.use_tempaddr = 0
# Disables IP dynaddr
net.ipv4.ip_dynaddr = 1
# Disable ECN
net.ipv4.tcp_ecn = 1
# Controls source route verification
net.ipv4.conf.all.rp_filter =1
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq =0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 0

kernel.dmesg_restrict = 1
# If you set this variable to 1 then cd tray will close automatically when the
# cd drive is being accessed.
# Setting this to 1 is not advised when supermount is enabled
# (as it has been known to cause problems)
dev.cdrom.autoclose=1
# removed to fix some digital extraction problems
# dev.cdrom.check_media=1

# to be able to eject via the device eject button (magicdev)
dev.cdrom.lock=0

# Disable netfilter on bridges.
#net.bridge.bridge-nf-call-ip6tables = 0
#net.bridge.bridge-nf-call-iptables = 0
#net.bridge.bridge-nf-call-arptables = 0
net.ipv4.ip_forward =0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.tcp_max_syn_backlog =512
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.tcp_syncookies = 1
​
net.ipv4.ip_local_port_range = 2000 65000
# Increase TCP max buffer size setable using setsockopt()
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
net.ipv6.conf.default.router_solicitations=0
net.ipv6.conf.default.accept_ra_rtr_pref=0
net.ipv6.conf.default.accept_ra_pinfo=0
net.ipv6.conf.default.accept_ra_defrtr=0
net.ipv6.conf.default.autoconf=0
net.ipv6.conf.default.dad_transmits=0
net.ipv6.conf.default.max_addresses=0
net.ipv4.icmp_echo_ignore_all=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.core.rmem_default =212992
net.core.wmem_default =212992
net.ipv4.tcp_fin_timeout =3600
net.ipv4.tcp_keepalive_time =7200
net.ipv4.tcp_keepalive_probes =7
net.ipv4.tcp_syn_retries =6
net.ipv4.tcp_retries1 =1
net.ipv4.tcp_retries2 =3
net.ipv4.tcp_retrans_collapse =1
net.ipv4.tcp_sack =1
net.ipv4.ip_default_ttl =64
net.ipv4.ipfrag_time =30
net.ipv4.ip_no_pmtu_disc =0
net.unix.max_dgram_qlen =10
vm.overcommit_memory =2
vm.overcommit_ratio=150 # 4 GB RAM + 2 GB SWAP, mausklick-schnell
# or: vm.overcommit_kbytes=
vm.page-cluster =3
kernel.ctrl-alt-del =1
kernel.panic =0
kernel.acct =4 2 30
kernel.printk =4
kernel.shmall =-1
kernel.shmmax =134217728
dev.raid.speed_limit_min =1000
dev.raid.speed_limit_max =200000
net.ipv4.conf.all.rp_filter=1

Gooken´s excellent DNS-security-concept, details from much further below: "DNS-surf-mask" local (etc/hosts/) for fundamental domain-IP including some blocks, followed by pdnsd (the local DNS-proxy/DNS-server with adjustable long-time storage) and finally tordns (the anonymizing DNS-Server of Tor (the Onion Router), tor-resolve)

Deactivate IPv6, https://help.ubuntu.com/community/StricterDefaults
IPv6 is part of a Linux-kernel since 2.6.28. Such addresses do never change. If IPv6 is configured wrong, it can cause troubles within a network and for DNS-queries.
IPv6 is enabled on Ubuntu by default. Most firewalls (like LINFW3) only apply to IPv4, and completely ignore IPv6. If you don´t use IPv6 at all, you can prevent it loading at boot time by changing alias net-pf-10 ipv6 to alias net-pf-10 off in /etc/modprobe.d/aliases resp. /etc/modprobe.conf and scheduling a reboot.

RedHat Enterprise Linux / CentOS / Fedora Core:
/etc/modprobe.conf, change line:

alias net-pf-10 ipv6
into:
alias net-pf-10 off
alias ipv6 off

and restart the computer.

RedHat Enterprise Linux / CentOS / Fedora Core / Mandriva:
Add the following entry to /etc/sysconfig/network:

NETWORKING_IPV6="no"

... and restart the system.

ktune: Kernel-Tuning resp. by boot-options ( /etc/init.d/ktune, if not already done in /boot/grub/menu.lst)), so make it mouseclick-fast
/etc/sysctl.d/*
nano /etc/sysctl.d/01-disable-ipv6.conf
net.ipv6.conf.all.disable_ipv6 = 1

nano /etc/sysctl.d/10-ptrace.conf
kernel.yama.ptrace.scope=3

nano /etc/sysctl.d/50-kptr-restrict.conf
kernel.kptr_restrict=1

nano /etc/sysctl.d/armci.conf
# Controls the maximum shared segment size, in bytes, siehe auch /etc/sysctl.conf
kernel.shmmax = 134217728

nano /etc/sysctl.d/libvirtd
The kernel allocates aio memory on demand, and this number limits the
# number of parallel aio requests; the only drawback of a larger limit is
# that a malicious guest could issue parallel requests to cause the kernel
# to set aside memory. Set this number at least as large as
# 128 * (number of virtual disks on the host)
# Libvirt uses a default of 1M requests to allow 8k disks, with at most
# 64M of kernel memory if all disks hit an aio request at the same time.
# fs.aio-max-nr = 1048576

Start ktune
sh /etc/init.d/ktune start

Deactivate IPv6
This article describes, howto deactivate the IPv6 support for Linux and Windows. Dies kann aus Sicherheitsgründen sinnvoll sein, solange man IPv6 noch nicht produktiv einsetzt. Damit kann verhindert werden, dass man eine IPv6 Adresse erhält, sobald ein IPv6 Router Advertisement Daemon in einem Netz verfügbar ist. Außerdem sind bestehende Firewall Rules oft nicht für IPv6 gültig. In diesem Fall hätte man dann unter Umständen Dienste per IPv6 zugänglich die man eigentlich mit einer IPv4 Regel unterbunden hat. Unter Linux gibt es das eigene Kommando "ip6tables" zur Verwaltung der IPv6 Firewall Rules.
1 Ubuntu
2 RHEL / CentOS
Ubuntu
In Ubuntu 10.04, 12.04, 14.04 und 16.04 ist IPv6 direkt in den Kernel kompiliert und wird nicht als Modul geladen. Die einfachste Methode um IPv6 zu deaktivieren ist den passenden sysctl Parameter zu setzen. Temporär kann dies mit folgendem Kommando erfolgen:

echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6

Um diese Einstellung dauerhaft vorzunehmen bietet es sich an auf die sysctl Funktionalitäten zurückzugreifen. Dafür einfach eine Datei namens /etc/sysctl.d/01-disable-ipv6.conf anlegen mit folgendem Inhalt:

net.ipv6.conf.all.disable_ipv6 = 1

Nach dem nächsten Reboot ist IPv6 dann deaktiviert.

Am besten kann dies mit dem Kommando "ip addr show" überprüft werden. Es darf dann keine Einträge mit dem Text "inet6" mehr geben.

ip addr show | grep inet6

RHEL / CentOS

Unter RHEL 6 / CentOS 6 (with many patches/updates by Jonny Hughes, NY, kann die Deaktivierung von IPv6 ident wie unter Ubuntu via sysctl erfolgen (siehe oben).

In RHEL 4 / CentOS 4 ist IPv6 als Modul integriert. Um dieses zu deaktiveren einfach folgende Zeile in der Datei /etc/modprobe.conf hinzufügen:

install ipv6 /bin/true

Die Überprüfung, ob es geklappt hat, kann mit dem Kommando "ip addr show | grep inet6" oder alternativ mit dem Kommando

lsmod | grep -i ipv6

TCP Wrapper, https://wiki.centos.org/HowTos/OS_Protection
Next we need to have a look inside /etc/sysctl.conf and make some basic changes. The TCP wrappers can provide a quick and easy method for controlling access to applications linked to them. Examples of TCP Wrapper aware applications are sshd, and portmap. A restrictive example is below. This example blocks everything but ssh:

echo "ALL:ALL" >> /etc/hosts.deny
echo "sshd:ALL" >> /etc/hosts.allow

Turn on SELinux
Security-Enhanced Linux (SELinux) is a compulsory access control security mechanism provided in the kernel. Disabling SELinux means removing security mechanism from the system. Think twice carefully before removing, if your system is attached to internet and accessed by the public, then think some more on it.
SELinux provides three basic modes of operation and they are.
Enforcing: This is default mode which enable and enforce the SELinux security policy on the machine.
Permissive: In this mode, SELinux will not enforce the security policy on the system, only warn and log actions. This mode is very useful in term of troubleshooting SELinux related issues.
Disabled: SELinux is turned off.
You can view current status of SELinux mode from the command line using ´system-config-selinux´, ´getenforce´ or ´sestatus´ commands.
# sestatus
If it is disabled, enable SELinux using the following command.

setenforce enforcing

It also can be managed from ´/etc/selinux/config´ file, where you can enable or disable it.
https://www.tecmint.com/linux-server-hardening-security-tips/. Bootparameter in /boot/grub/menu:lst: "selinux=1"

AppArmor or SELinux?, forum.ubuntuusers.de
Why does Ubuntu not use SELinux, ... I see it so too.... I have no trust anymore. . Tom-L. Beiträge form year 2007 ( five years before Snowden´s publications...): 1181.
@glasen
Many thanks, I am going to reed it having time next morning..
@timmy11
Soso, NSA aso. Hmm, I would for myself wouldn´t bother about ... I mean, ok, of it would be our government Bundesregierung... Bundes-trojan :lol:
No, but to be serious: Security against third parties may be higher, if institutes like NSA are involved, but I feel the shabby smell with it too.

timmy11
Maybe someone can convince us from the opposite.
For me America means (... the governmental organizations): I like everything to know and to snoop upon.
Murdoc
Avatar von Murdoc
I also see this....I simple do not have any trust anymore:(

Tom L.: I mean having read, that SELinux is an official part of the kernel. Therefore I believe, that Kernel developer ( and more than only the same one) has studied the source code carefully.

glasen: Sorry, but I can not stand your paranoia.
Obviously NSA become a member to develope SELinux, but as Linux is open-source free software, it is impossible for NSA to keep any backdoors secretly open.
If there were one line code, that could not stand Peer-Review, SELinux would never be a part of the kernel-sources!

Murdoc: I believe this too, but they have studied everything, but there are also kernel-exploits :-/

If secret services would do this, intergrating backdoors within the kernel ..., then certainly not by a project like SELinux, but through other parts of the kernel.
comm_a_nder: Hey, boys, think about it.

Mosurft: Generally I do not feel well connecting SELinux made by NSA, even for - I do believe - noone can study and analyze each part of the source-code. Anyoune does always not notice anything, otherwise there would be no lacks in security and even a secret service has got the most interest in getting and checking a PC with the click on the buttom, in order to check out PCs...
I´d like to know, who runs SELinux on a computer with Ubuntu and how it functions! And if someone does not like SELinux, what about Grsecurity? Did anyone check it out?
Greetings, Mo.

comm_a_nder: If i said it in the wrong way and you feel attacked in person, it makes me sorry.
Back to the theme: Especially the parts of software added by NSA, have been checked out well. But as I told you, there were surely much more effective ways for the boys from "Crypto City" to migrate code into kernel-source.

Murdoc. As we are going on paranoidal, I ask for the BIOS.
Now, as ASUS offers a Minimal Linux to browse, the question is posed, what the BIOS is all enabled to do?

Mosurft: If I do not trust the BIOS, then I better do not use any computer...! ;) ...
https://forum.ubuntuusers.de/topic/apparmor-oder-selinux

Introduced mainboard ITX-220 comes with in- and deactivable BIOS-LAN-Chip and Coretemp for the regulation of the temperature... Next point: SELinux. As our excurs shows, it is suspicously not needed. So we´d prefer to deactivate it right within the boot-paramters.

Review Logs Regularly
Move logs in dedicated log server, this may prevents intruders to easily modify local logs. Below are the Common Linux default log files name and their usage:

/var/log/message - Where whole system logs or current activity logs are available.
/var/log/auth.log - Authentication logs.
/var/log/kern.log - Kernel logs.
/var/log/cron.log - Crond logs (cron job).
/var/log/maillog - Mail server logs.
/var/log/boot.log - System boot log.
/var/log/mysqld.log - MySQL database server log file.
/var/log/secure - Authentication log.
/var/log/utmp or /var/log/wtmp : Login records file.
/var/log/yum.log: Yum log files.
https://www.tecmint.com/linux-server-hardening-security-tips/

Shared Memory (shm und tmpfs, siehe unsere /etc/fstab im noch Folgenden), https://help.ubuntu.com/community/StricterDefaults
By default, /run/shm is mounted read/write, with permission to execute programs. In recent years, many security mailing lists have noted many exploits where /run/shm is used in an attack against a running service, such as httpd. Most of these exploits, however, rely on an insecure web application rather than a vulnerability in Apache or Ubuntu. There are a few reasons for it to be mounted read/write in specific configurations, such as real-time configuration of a Synaptics touchpad for laptops, but for servers and desktop installations there is no benefit to mounting /run/shm read/write. To change this setting, edit the /etc/fstab file to include the following line:

none /run/shm tmpfs defaults,ro 0 0

resp. http://joshrendek.com/2013/01/securing-ubuntu/ :

A common exploit vector is going through shared memory (which can let you change the UID of running programs and other malicious actions). It can also be used as a place to drop files once an initial breakin has been made. An example of one such exploit is available here.
Open /etc/fstab/:

tmpfs /dev/shm tmpfs defaults,ro 0 0

This will mount /run/shm in read-only mode. Note: MANY programs will not work if you make /run/shm read-only (e.g. Google Chrome).If you have a good reason to keep it writable, put this line in /etc/fstab instead:

none /run/shm tmpfs rw,noexec,nosuid,nodev 0 0

This will mount /run/shm writable, but without permission to execute programs, without permission to change the UID of running programs, or to create block or character devices in the namespace.

The changes will take effect the next time you reboot, unless you remount /run/shm with the command sudo mount -o remount /run/shm.

SSH Settings, https://help.ubuntu.com/community/StricterDefaults
While the SSH daemon is secure enough for most people, some may wish to further enhance their security by changing certain sshd settings. Some settings which could be changed to enhance security are given here. All changes, unless otherwise stated, are made in the /etc/ssh/sshd_config file. Lines with a pound sign (#) are commented and not read. To edit this file from a terminal:

sudoedit /etc/ssh/sshd_config

For a Gnome editor, press Alt+F2 and use:

gksudo gedit /etc/ssh/sshd_config

For a KDE editor, press Alt+F2 and use:

kdesu kate /etc/ssh/sshd_config

Please remember, after making any changes, sshd must be restarted, which can be done from the terminal with this command:

service ssh restart (CentOS: sh /etc/init.d/sshd restart)
..., https://help.ubuntu.com/community/StricterDefaults .

Configuring bastille, http://joshrendek.com/2013/01/securing-ubuntu/
The Bastille Hardening program "locks down" an operating system, proactively configuring the system for increased security and decreasing its susceptibility to compromise. Bastille can also assess a system´s current state of hardening, granularly reporting on each of the security settings with which it works.

File permissions module: Yes (suid)
Disable SUID for mount/umount: Yes
Disable SUID on ping: Yes
Disable clear-text r-protocols that use IP-based authentication? Yes Enforce password aging? No (situation dependent, I have no users accessing my machines except me, and I only allow ssh keys)
Default umask: Yes
Umask: 077
Disable root login on tty 1-6: Yes
Password protect GRUB prompt: No (situation dependent, I´m on a VPS and would like to get support in case I need it)
Password protect su mode: Yes
default-deny on tcp-wrappers and xinetd? No
Ensure telnet doesn´t run? Yes
Ensure FTP does not run? Yes
display authorized use message? No (situation dependent, if you had other users, Yes)
Put limits on system resource usage? Yes
Restrict console access to group of users? Yes (then choose root)
Add additional logging? Yes
Setup remote logging, if you have a remote log host, I don´t so I answered No
Setup process accounting? Yes
Disable acpid? Yes
Deactivate nfs + samba? Yes (situation dependent)
Stop sendmail from running in daemon mode? No (I have this firewalled off, so I´m not concerned)
Deactivate apache? Yes
Disable printing? Yes
TMPDIR/TMP scripts? No (if a multi-user system, yes)
Packet filtering script? Yes
Finished? YES! & reboot

Link the dns resolver nslookup to the anonymizing tor-resolve
We are going to write about Tor (The Onion Router) at the end of our excurs. If you already use Tor, secure up your system by linking nslookup with the DNS-anonymizing resolver tor-resolve:
make a copy of nslookup: cp -f /usr/bin/nslookup /usr/bin/nslookup-save
links nslookup with tor-resolve: ln -sf /usr/bin/tor-resolve /usr/bin/nslookup.
You can do the same for dns-resolving host and dig too.
Notice, that the output of those programs is not the same (but in all cases they do contain the IP for the domain requested).
For programs that do not work past this linking, enter the ip-domain-pairs in /etc/hosts and adjust /etc/nsswitch.conf. Read more about /etc/hosts at the end of our excurs.
At last, think about setting ACL-rights upon these files, see our section for setfacl.

For our "Universal-Linux" (backported sytem) an actual kernel and actual kernel-firmware can be downloaded from PCLinuxOS, a backport of Fedora Core, ROSA, Mageia and Mandriva, http://ftp.pbone.net/mirror/www.pclinuxos.com/pclinuxos/apt/pclinuxos/64bit/RPMS.x86_64/ or https://ftp.nluug.nl/ftp/pub/os/Linux/distr/pclinuxos/pclinuxos/ or https://linux.palemoon.org and other URL. We strongly recommend LONGTERMED kernel-4.20.13 (pclos) with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (el6: Version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: Version 008)), glibc (pclos) and kernel-firmware (pclos) and kernel-firmware-extra (pclos) and Konqueror (el6) with the intergrated adbocker resp. actual Firefox (ESR, the backported company edition) from http://ftp.scientificlinux.org/linux/scientific/6.9/x86_64/updates/security/ or http://mirror.centos.org/centos/6/updates/x86_64/Packages/ with extensions named on this webside in the following.

Deinstallation of programs (also see section "Updating/Updates"): If sudo, rpcbind, portmapper, sshd SSH-Daemon, rsh, telnet, avahi-daemon or cups-browsed daemon of the CUPS-system is not needed for example, it is possible to deactivate or deinstall them: "dpkg ..." , "rpm -e [nodeps]" source: https://wiki.kairaven.de/open/os/linux/tuxsectune

Quota
Quota limits the memory consumption for a single user and/or group, so that an "overflow" of a volume resp. partition is prevented. For quota the kernal must be configured. If CONFIG_QFMT_V2 is set as modul, kernel modul quota_v2.ko is added to /etc/modules:

sudo echo quota_v2 >>, /etc/modules

For quota following packages have to be installed:

sudo aptitude install quota quotatool

If there is not any quota upon NFS-mounted file systems resp. RPC-quota-server, the service RPC-Remote-Quota-Server can be deactivated:

sudo systemctl disable quotarpc.service # sh /etc/init.d/quota... stop # and disable

In /etc/fstab the mount-options of the /fs file system are added with the options for the usage of journaling quota:

/etc/fstab

/fs /mountpoint ext4 optionen,usrjquota=aquota.usr/grpjquota=aquota.group,jqfmt=vfsv0|1

Use usrjquota for quota of user and/or grpjquota for groups. Volumes with a size of 4TB use quota-format vfsv1.

Finally restart the system, if the file system can not be mounted by the following command:

sudo mount -o remount /mountpoint

More details and source: https://wiki.kairaven.de/open/os/linux/tuxsectune

Kernel-configuration
Deactivate as much as possible, that means all modules, that are not needed. The preconfiguration for single user is already set for the everyday life. This might differ from special requirements and development and a backup-kernel should be installed parallely too, if the configuration and the boot fails. BR>
More details and source: https://wiki.kairaven.de/open/os/linux/tuxsectune
We are describing, how to configure and compile the kernel-source in our section for updates.

Blocking of modules
https://wiki.kairaven.de/open/os/linux/tuxsectune (resp. by "blacklist modul-name" within /etc/modules.d).

Dienste mit systemd
Removal and deactivation
Deactive all services, that are not needed. Either deinstall complete packages or, if a deinstallation is not wanted, use systemctl (alternatively: ntsysv, chkconfig or MCC#system-services (mdv2010) for deactivation).

More about security-settings for services by systemd and source: https://wiki.kairaven.de/open/os/linux/tuxsectune .

at & cron
Resrict the users, that are enable to create and modify at (batch) and cron jobs, enable them within /etc/at.allow and /etc/cron.allow by entering them with their login-name line-by-line (only for users, that are enabled).

Hardend compilation
Flags, that can be set for the configure-Script.


Executable

´CFLAGS= -g -O2 -fPIE -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security´
´CPPFLAGS= -D_FORTIFY_SOURCE=2´
´CXXFLAGS= -g -O2 -fPIE -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security´
´LDFLAGS= -fPIE -pie -Wl,-z,relro -Wl,-z,now´

Shared Library

´CFLAGS= -g -O2 -fpic -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security´
´CPPFLAGS= -D_FORTIFY_SOURCE=2´
´CXXFLAGS= -g -O2 -fpic -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security´
´LDFLAGS= -fpic -Wl,-z,relro -Wl,-z,now´

If option "-fpic" does not work, use "-fPIC".

Evtl. deinstall ( rpm -e packagename or rpm -e --nodeps packagename )
rpcbind (el6, mdv2010.2), sudo (el6, mdv2010.2), portmap (el6, mdv2010.2), dayplanner, mmc-agent (mdv2010.2), tracker (mdv2010), codeina (mdv2010), xguest (mdv2010), wu-ftpd (mdv2010), anonftp (mdv), mdkonline (mdv2010), f-spot (does not work on the base of updated mono (rosa2014.1), abrt (el6), funguloids (mdv2010.2), banshee (rosa,mdv) and amarok (rosa,mdv): unavailable for el6, both ones do not work, qmmp (el6, mdv) does not work, lxde (mdv2010, lxpanel tries to get inpredictable root-access).

Start only the processes needed. Use net_applet from NetworkManager and not nm-applet. There might be an error in the skript for NetworkManager. Replace everything except last line in start() with "/usr/bin/NetworkManager --login-level=INFO".

Commercial modules: Linux and the NSA
tgruene, 16.10.2013
Bei dem letzten Newslink über Oracles Versuch, dem DOD den Vorteil kommerzieller Software zu erkläeren, kam mir der Gedanke, dass auf einem.typischen Linuxrechner eine ganze Reihe Module laufen, fuer die kein Quellcode zur Verfuegung steht (die dafür von US-amerikanischen Firmen zur Verfügung gestellt werden und somit vermutlich auch gesetzestreue (aka NSA-freundliche) Hintertüren enthalten), seien es Nvidia/ATI-Treiber, Virtualbox oder unter Debian vermutlich fast der gesamte Inhalt von firmware-linux-nonfree.
Mich interessiert, wie gut der Kernel und die Module voneinander abgeschottet sind - wie leicht ist es, solch einem Modul z.B. einen Keylogger einzubauen, der meine Passwörter beim Tippen abfängt und übers Internet irgendwohin schickt? Dass die NSA meine Emails liest, ist unverschämt, stört mich aber an sich nicht weiter, sonst würde ich ja keine Emails an Leute schreiben, deren Schlüssel ich nicht kenne, doch meinen GPG-Schlüssel und die Passwörter abzuhören - dagegen habe ich ganz ordentlich etwas.

Terminal -> lsmod
/etc/modprobe.d/blacklist*
blacklist mei
blacklist it87 # disabled for Mainboard ASUS ITX-220
blacklist i2c_dev # ITX-220
blacklist coretemp # ITX-220
blacklist snd-usb-audio
blacklist snd_pcm_oss
blacklist snd_mixer_oss
blacklist snd_seq_oss
blacklist pata_acpi
blacklist rivatv
blacklist i82875p_edac
# do not use "Boot Protocol" drivers, we prefer usbhid
# and they cause problems when loaded together with usbhid (#37726, #40861)
blacklist usbkbd
blacklist usbmouse
# disable PC speaker by default
# pcspkr is the standard driver, while snd-pcsp is the ALSA driver
blacklist pcspkr
blacklist snd-pcsp
blacklist pcspkr
blacklist snd-pcsp
blacklist vhost
blacklist vhost_net
blacklist tpm_infineon
blacklist tmp_tis
blacklist tmp_tis_core
blacklist i82875p_edac
blacklist pcspkr
blacklist snd-pcsp
blacklist rivatv
blacklist i82875p_edac
blacklist pcspkr
blacklist it87
blacklist i2c_dev
blacklist coretemp
blacklist vhost_net
blacklist tpm_infineon
blacklist tmp_tis
blacklist tmp_tis_core
blacklist i82875p_edac
blacklist pcspkr
blacklist snd-pcsp
blacklist rivatv
blacklist i82875p_edac
blacklist pcspkr
# watchdog drivers
blacklist i8xx_tco
# framebuffer drivers
blacklist aty128fb
blacklist atyfb
blacklist radeonfb
blacklist i810fb
blacklist cirrusfb
blacklist intelfb
blacklist kyrofb
blacklist i2c-matroxfb
blacklist hgafb
blacklist nvidiafb
blacklist rivafb
blacklist savagefb
blacklist sstfb
blacklist neofb
blacklist tridentfb
blacklist tdfxfb
blacklist virgefb
blacklist vga16fb
blacklist matroxfb_base
# ISDN - see bugs 154799, 159068
blacklist hisax
blacklist hisax_fcpcipnp

Partition-check during each system boot)
This is described later on, but it might be such important, to tell it alrady at this place.
We assume, that the partitions got already encrypted with LUKS/dm-crypt (we are describing later on, how this can be made, if not). But the check will work upon unencrypted ones too. To be careful, we are going to check out partitions with file systems like ext4 each system boot, especially thinking of all the updating with rpm-packages in future.

tune2fs -c 1 /dev/mapper/cryptedhomepartition

resp.

reiserfstune -m 1 /dev/mapper/cryptedroot_resp_home_resp_bootpartition

resp.

tune2fs -d 7 /dev/mapper/cryptedroot_resp_home_resp_bootpartition

For unencrypted and not internal kernel-partitions replace the container-file "/dev/mapper/cryptedhomepartiton" with a device file like /dev/sda1.

Also activate in the device configuration file /etc/fstab the check each boot. Do this line (partition) by line (partition) more or less regarding "priorities&uot; of the check, by setting a positive interger not equal to zero behind the number (zero) for the (deactivated) dump at the end of the line: "0 1" for the root-partition, "0 1" or "0 2" for the home-partition and so on.
An example of the content of /etc/fstab as a whole is given further below.

Apache-Webserver (httpd.conf) (analogous: LAN/Samba (samba.conf, database server/MySQL (my.cnf and mysld.conf) and other server, print-server (CUPS) see end of this website )
Now it is the turn for the webserver, almost Apache httpd 1.3 or 2.0. Basic functions are enriched by many loadable modules.
To see, which modules are really needed, have a look into /etc/apache/httpd.conf (CentOS 6 and CentOS 7: /etc/httpd/httpd.conf):

LoadModule autoindex_module /usr/lib/apache/1.3/mod_autoindex.so
LoadModule dir_module /usr/lib/apache/1.3/mod_dir.so
LoadModule cgi_module /usr/lib/apache/1.3/mod_cgi.so
LoadModule userdir_module /usr/lib/apache/1.3/mod_userdir.so
LoadModule proxy_module /usr/lib/apache/1.3/libproxy.so

Superfluos modules can be commented in by "#" plus blank at the very beginning of each line. Apache will work faster and will consumpt less memory the less modules are needed..

Only those modules should be loaded, that are really needed. The kind of server determines, which ones. Nevertheless there are modules, a standard webserver does not need:
* lib_status (presents a server-internal status)
* libproxy (an enormous security risk, as the webserver realizes a proxy for the accesses of other server)
* mod_cgi (to start so-called cgi-scripts. Such scripts are rarely used today as they are one more security risk)
* mod_userdir (generates a web-directory for each user)
In Debian, Apache 2.0 uses the file /etc/apache2/apache2.conf for configuration. All modules symbolically linked in /etc/apache2/mods-enabled are loaded by default. To deactivate such modules, the link has to be deleted.
After the config-files were changed,

apache -t

shows, if the configuration-syntax still is OK.

/etc/init.d/apache restart
oder
/etc/init.d/apache2 restart # C6 (el6): sh /etc/init.d/httpd restart

restarts the server, therewith the changes can take into effect.

Notice, that SuSE makes it the other way. Apache-modules are loaded within the file /etc/sysconfig/apache2. Look out in this file for the line with "APACHE_MODULES" and delete the entries not needed. After this,

SuSEconfig
has to be started out of the shell. Restart Apache by
rcapache2 restart

Get more infos about the task for each module, have a look at

http://httpd.apache.org/docs/1.3/mod/index-bytype.html und
http://httpd.apache.org/docs/2.0/mod/
More reports
Apache: Howto stop unwanted referer, https://www.strassenprogrammierer.de/apache-unerwuenschte-referer-stoppen_tipp_441.html
source. https://www.strassenprogrammierer.de/webserver-absichern-hacker_tipp_479.html

Secure Apache/PHP/Nginx server
Edit httpd.conf file (CentOS: /etc/httpd/conf/httpd.conf) and add the following:

ServerTokens Prod
ServerSignature Off
TraceEnable Off
Options all -Indexes
Header always unset X-Powered-By

Restart the httpd/apache2 server on Linux
You must install and enable mod_security on RHEL/CentOS server. It is recommended that you edit php.ini and secure it too.
https://www.cyberciti.biz/tips/linux-security.html

DDoS-Schutzdienst:
Der DDoS-Schutzdienst ist in der Lage, selbst die komplexesten DDoS-Angriffe abzuwehren.
https://en.wikipedia.org/wiki/Denial-of-service_attack#Distributed_attack
https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/
https://us.norton.com/internetsecurity-emerging-threats-what-is-a-ddos-attack-30sectech-by-norton.html
https://www.digitalattackmap.com/understanding-ddos/

Lastverteilung:
Der Lastenausgleich geht häufig mit Ausfallsicherheitsmechanismen einher: Indem Sie einen Cluster mit der entsprechenden Kapazität aufbauen und die Anforderungen auf einzelne Systeme verteilen, können Sie die Ausfallsicherheit erhöhen Ausfallsicherheit, wenn der Ausfall eines Systems erkannt wird und die Anforderungen automatisch an ein anderes System gesendet werden.
https://de.wikipedia.org/wiki/Lastverteilung_(Informatik)
https://www.nginx.com/resources/glossary/load-balancing/

HMAC authentication
HMAC stands for keyed-hash message authentication code. A message authentication code protects against the modification of transmitted data by an attacker, who can read the data in real time. TLS use hash values (hence the H in HMAC) out of the numerous possibilities for the reliable authentication of messages.
https://en.wikipedia.org/wiki/HMAC

HMAC Authentication in Web API - Dot Net Tutorials
Understanding the Keys used in HMAC Authentication. Uses of HMAC Authentication in Web API. How does the HMAC Authentication work?
https://dotnettutorials.net/lesson/hmac-authentication-web-api/

What is HMAC authentication and how does it make VPN safer?
HMAC stands for hashed message authentication code and is an important factor in VPN security. Learn why strong HMAC auth matters for VPN security.
https://protonvpn.com/blog/hmac-authentication/

Station-to-Station (STS) protocol, Cipher Block Chaining:
CBC stands for Cipher Block Chaining, which is every message depending on the previous passes. So can yourself short interruptions of the channel can be quickly noticed. Diffie-Hellman key exchange:
https://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange A symmetric encryption scheme is used, the key of which is the negotiation of Diffie-Hellman key exchanges with elliptic curves. The server and the app use intelligent math to negotiate and verify the secret key, which is then used to encrypt the data for the entire session. Station-to-Station (STS) protocol: https://en.wikipedia.org/wiki/Station-to-Station_protocol In public-key cryptography, the Station-to-Station (STS) protocol is a cryptographic key agreement scheme. The protocol is based on classic Diffie–Hellman, and provides mutual key and entity authentication. Unlike the classic Diffie–Hellman, which is not secure against a man-in-the-middle attack, this protocol assumes that the parties have signature keys, which are used to sign messages, thereby providing security against man-in-the-middle attacks. In addition to protecting the established key from an attacker, the STS protocol uses no timestamps and provides perfect forward secrecy. It also entails two-way explicit key confirmation, making it an authenticated key agreement with key confirmation (AKC) protocol.
https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#CBC


Pretty Good Privacy
PGP encryption uses a serial combination of hashing, data compression, symmetric-key cryptography, and finally public-key cryptography; each step uses one of several supported algorithms. Each public key is bound to a username or an e-mail address. The first version of this system was generally known as a web of trust to contrast with the X.509 system, which uses a hierarchical approach based on certificate authority and which was added to PGP implementations later. Current versions of PGP encryption include both options through an automated key management server.
https://en.wikipedia.org/wiki/Pretty_Good_Privacy

Perfect Forward Secrecy
With Perfect Forward Secrecy, even if a dedicated opponent is somehow able to attack the computer or server during a session, they will not be able to decrypt traffic from past sessions. The provider uses namely with each connection a new secret key. Even if you remain connected to the Server for a long period of time, the provider automatically changes the key every 60 minutes. This key renewal process every 60 minutes guarantees "Forward Secrecy". So if an attacker succeeds in compromising the key, in the worst case scenario, he could track the data for up to 60 minutes. Then everything is secret again.
https://en.wikipedia.org/wiki/Forward_secrecy

Shadowsocks SOCKS5 proxy (all servers) Shadowsocks Proxy can be used by the provider through the application (Mac OS X, Windows, Linux, iOS, Android, Windows 10 Mobile). In addition, there is an advantage that "shadow socks" can not even be blocked in highly restrictive networks.
https://shadowsocks.org/en/index.html

Smart DNS Proxy (all servers)
There are currently two common ways to circumvent geo-blocks of foreign video-on-demand services such as Hulu, Netflix or Vudu. The first way is to use SmartDNS services. The term SmartDNS hides on innovative technology that has been specifically designed to bypass the geo-blocking barrier. To configure the SmartDNS service, there is only a minimal change to the TCP/IP properties of the network connection. Then, the user can freely use many suspended streaming services regardless of their current whereabouts.
http://www.unblock.ch/smart-dns-anbieter/

DNS-Leak:
Eigene DNS-Server ohne Festplatten (RAM-Disk). Zusätzlich werden OpenDNS-Server (IPv6) verwendet (Auswahlmöglichkeit in den Einstellungen). Der Dienst schützt zuverlässig vor dem bekannten DNS-Leck.
https://www.hongkiat.com/blog/creating-ram-drives/
https://www.tomshardware.com/news/what-we-know-ddr5-ram,39079.html
https://www.opendns.com/about/innovations/ipv6/

IP-Leak:
Eine eigene Software verhindert zuverlässig Angriffe bekannter DNS-Leak-Methoden.

WebRTC-Leak:
Der Service schützt zuverlässig vor dem bekannten WebRTC-Leak-Problem.

Speicherschutz-Funktion (Schutz vor Serverausfällen):
Diese Funktion ist in der Lage, den verfügbaren Arbeitsspeicher so aufzuteilen und laufende Programme so voneinander zu trennen, dass ein Programmierfehler oder Absturz eines einzelnen Programms nicht die Stabilität anderer Programme oder des Gesamtsystems beeinträchtigt (Speicherschutz-Mechanismus).
Serverausfall (Schutzmöglichkeiten):
Unterspannungsschutz (UVP)
Überspannungsschutz (OVP)
Kurzschlusssicherung (SCP)
Überlastschutz (OPP)
Überstromschutz (OCP)
Überhitzungsschutz (OTP)
Japanische 105°C Kondensatoren (Lebensdauer vom Netzteil)
Brandmelder (im Serverraum eingebaut)
Diese Schutzfunktionen (Netzteil) können die meisten Serverausfälle verhindern.

Login methods, Two-Factor-Authentification (TOTP)
Two factor authentication can be implemented for SSH access or other application login, it will improve login security by adding a second factor of authentication, that is the password is typically known as something you know, while the second factor may be a physical security token or mobile device which acts as something you have. The combination of something you know and something you have ensures that you are more likely who you say you are.

There are custom applications available for this such as Duo Securityand Google Authenticator as well as many others. These typically involve installing an application on a smart phone and then entering the generated code alongside your username and password when you authenticate.
Google Authenticator can be used for many other applications than just SSH, such as for WordPress login with third party plugin support.
https://www.rootusers.com/23-hardening-tips-to-secure-your-linux-server/
4096 bit encryption/Eliptic-cuves-cryptography/
Two-Factor-Authentfication/connection (SSL/TLS encryption)/full IPv6
Support/HMAC-Authentifizierung/Cipher Block Chaining/Diffie-Hellman-Schlüsselaustausch/STS-Protokoll (Station-to-Station)/Pretty Good Privacy/Perfect Forward
Secrecy/encryption tool (Cloud Storage/Backup)/Failure Backup-solution/NAT-Firewall/
DDoS-protection/Lastverteilung/DNS-Leak/IP Leak/WebRTC Leak/WebRTC Leak/
Windows Login Leak/Arttifical Intelligence (NeuroRouting™)/Zero-Knowledge-Beweis/
Fiat-Shamir-Protokoll/Schnorr-Identification/SecureCore-function (security kernel)/
4096 bit encryption:
https://www.pcwelt.de/ratgeber/Verschluesselung_-_Was_ist_noch_unknackbar_-Sicherheits-Check-8845011.html
https://www.heise.de/security/artikel/Kryptographie-in-der-IT-Empfehlungen-zu-Verschluesselung-und-Verfahren-3221002.html?seite=all>
https://de.wikipedia.org/wiki/Elliptic_Curve_Cryptography
https://www.heise.de/select/ix/2017/3/1487529933065685
https://www.computerweekly.com/de/definition/Elliptische-Kurven-Kryptografie-Elliptic-Curve-Cryptography-ECC
https://www.globalsign.com/de-de/blog/ecc-101/
https://www.ssl247.de/certificats-ssl/rsa-dsa-ecc
Two-Factor-Authetification(TOTP):
https://de.wikipedia.org/wiki/Zwei-Faktor-Authentisierung
https://www.pcwelt.de/ratgeber/Wichtige_Dienste_per_Zwei-Faktor-Authentifizierung_schuetzen-Sicherheit-8679969.html
https://www.security-insider.de/flexiblere-zwei-faktor-authentifizierung-an-vpns-a-700259/
https://www.security-insider.de/remote-access-vpn-mit-zwei-faktor-authentifizierung-a-389000/
http://www.itseccity.de/produkte-services/it-security/vpn-loesungen/ncp-engineering090315.html
Authenticator-App:
a) FreeOTP Authenticator
b) Authy
c) Microsoft Authenticator
d) LastPass Authenticator
e) Google Authenticator


Kill hack-attempts against the Secure Shell
In order to prevent hundrets of sshd-tasks starting at the same by a hacking attempt, add the line

MaxStartups 3:30:10

into the configuratio file /etc/ssh/sshd_config. This restriction is effective but complicated. The values in the example mean, that 2 (= 1. value minus 1) unauthenticated (and therefore in the Login-state assembled) sshd-connections are always allowed.
A third connection (= 1. value) is blocked by a probability of 30% (second value).
The probaliity of ending a connection is increasing linear, until up from 10 opened (built-up) connections (third value) each attempt to build up a connection is blocked at all at the rate of 100 in percent.

Notice, that useres already logged in do not refer to these values! The values in the example from above should suffer the need for each small and middle-sized server. If there are plenty of SSH-user, higher values might be recommended, for example:

MaxStartups 10:30:50 6

Source: https://www.strassenprogrammierer.de/sicherheit-ssh-hacker_tipp_480.html

Forbid root-access for SSH
Change the ssh-configuration:

nano /etc/ssh/sshd_config

and set

PermitRootLogin no

And to make it most secure, we add the following lines:

# Only permit user admin.
AllowUsers admin
# Generally block root or user of group root:
DenyUsers root
DenyGroups root

This lines can be added at the beginning of the file. Enhance the entry AllowUser, if further on more user are permitted for the SSH-login. New user are separated by a blank and not colon,. for example:

AllowUsers admin user1 user2 user3 Now the ssh-daemon gets started:

service ssh restart

Debian:

/etc/init.d/ssh reload

CentOS: sh /etc/init.d/sshd restart

Now we open a new session and try to login as root. By using the correct password, we get the message:
Access denied
Quelle: https://www.rechenkraft.net/wiki/Root_Server_absichern_(Ubuntu_14.04)
https://linux-scout.de/sicherheit/debian-server-absichern-so-machen-sie-es-richtig/

Secure Linux Server
From Qloc Wiki
Here you find significant basics to secure a Debian/Ubuntu System. Except the tips listed here there are a lot of security precautions to make attacks more difficult.
Generally for all public systems essential services should only be accessible from the outside. Unused services like webserver or MySQL Server should eiteher be inaccessible with the help of iptables-rules or be deactivated.
Summary

1 Secure keywords (passwords)
2 SSH Port: secure up by change
3 Creating SSH-keys
4 Opening of required ports only
5 Prevention of Brute Force Attacks
6 Installing security updates

https://wiki.qloc.de/index.php/Absichern_eines_Linux_Servers

Right here we´d like to mention the server configuration files for many more security settings (like access/login, ACL-access-rights, log, bandwidth and server-ports (now "client"-ports) to open). Also search for adequate modules resp. securing server-extensions.

- Apache: mod_evasive against DDoS, mod_cband as traffic-Cop
- Fail2Ban for the https-vHosts- resp. htaccess authentification
- 24/7 monitoring with SMS alerting through an SMS Gateway via monit
- encrypted backups in two different computer centers
- instead of unencrypted ftp: SFTP. Transfer gets encrypted through sshd.
Configure an ftp-server working with ssl-encryption, it es similar to POP3 and IMAP. Then the transfers get secure, noone can read data.
Forbid anonymous accounts and run the ftp server in a chroot environment. This keeps away most annoynances.
Use ssh instead of ftpd just relying on ssh too.
Normalerweise ist das Verbinden mit einem FTP-Server mit SSL nicht schwieriger als mit einem ohne.
Just configure the ftp-client for the SSL-ecnryption and he will connect. The everyting works like connecting with a ftp-server without SSL. One will be just asked, if the certificate is accespted.
SSH use port 22. It is possible to upload files too, but the user once logged in has the possibility to access the system- except the account is chrooted.
...
https://serversupportforum.de/forum/security/28079-abschottung-wie-geht-es-nun-weiter-2.html

Memory-protection-function (protection against server-breakdowns):
This function is be abled to separate the RAM into areas and distinguish processes the way, that programmers or breakdowns do not affect the stability of other processes or impairs the whole system (RAM-protection).
Server-breakdown-protection:
Low-Voltage-protection (UVP)
Overvoltage-protection (OVP)
Short circuit protection: (SCP)
Overload-protection (OPP)
Over current stream protection (OCP)
Over heat protection (OTP)
Japanese 105 degree condensators (lifetime of the netadapter)
Fire detectors (server room)


Chroot ( Befehl chroot ): is part of commands resp. communication-protocols like mount, ssh, stfp and effects one of the most serious hard threats! Help is given by sandboxes and/or/including the locking of the shells of the user (unfortunately a sandbox only, if a program works upon sandboxes, for example tor-browser does not (but migh have its own one). We are going to talk about this problem!

Chroot and Chroot-Jail (Chroot-Enviroment, Chroot-Sandbox)
https://wiki.debian.org/chroot
Step by step: https://www.linuxwiki.de/chroot

Chroot and Chroot-Jail, debian.org, wikipedia.org
A chroot on Unix operating systems is an operation, that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name (and therefore normally cannot access) files outside the designated directory tree. The term "chroot" may refer to the chroot system call or the chroot wrapper program. The modified environment is called a chroot jail.
https://wiki.debian.org/chroot
https://en.wikipedia.org/wiki/Chroot

Linux - Keeping users inside their home directory - Super User
If you use chroot like this, everything the user needs (executables, libraries, etc.) has to be within the chrooted directory. I´ve seen ftp-servers set up that way, with static executables copied into a bin directory.
https://superuser.com/questions/396282/keeping-users-inside-their-home-directory

How to configure ProFTPD to chroot users to /home directory or any ...
If you´re using ProFTPD user on a Linux server, you most certainly have wondered, how you can configure the FTP server to chroot (or jail) it´s users to a particular ...
https://www.pc-freak.net/blog/how-to-configure-proftpd-to-chroot-users-to-home-directory-or-any-other-selected-directory-2

Furthermore past the configuration the server can run in a lower, but even more safer runlevel like runlevel 3 (command: "init 3") than common runlevel 5 or 6. mgetty resp. mingetty: terminal-switch ( ALT + CTRL + F1 up to F7), server configuration file (if it is possible there), systemd (sysctl) or chkconfig (to set the runlevel for the server during system boot)

Coreboot - flashing the BIOS: Manufacturer BIOS-replacement by the Linux-System, https://www.kuketz-blog.de/sicheres-desktop-system-linux-haerten-teil1/
"System security already defines upon the hardware-level. Even today it might be difficult to find out WLAN-chipsets open source driver are provided. Exceptions like for AR9170 chipset are provided, same for the BIOS.
Idally Coreboot can replace the actual BIOS for a open-source, free BIOS. Otherwise hidden backdoors are risked usable by secret services.
We can be only really "secure", if open-source is used by hard- and software. [...].
Therefore I am urged for the project "hardened Linux" to make an exception and like to repeat, that this project does not protect against directed secret services.
I...] As I wrote with the first article, a secure operating system can only be obtained using Linux resp. Unix."
https://www.coreboot.org/Supported_Motherboards # u.a.
Many BIOS-variants are associated with software failures. Getting rid of them often implies updates from manufacturer. Beneath these unintended restrictions basic approaches exist to implement more functions in proprietary firmware (BIOS resp. UEFI) in future, that make afraid of more conscious restrictions of functionality.
Quelle: https://www.kuketz-blog.de/sicheres-desktop-system-linux-haerten-teil1/
https://www.kuketz-blog.de/sicheres-desktop-system-linux-haerten-teil2/
https://de.wikipedia.org/wiki/Coreboot
https://www.golem.de/0912/72132.html
With Coreboot the system-startup-time can also be declined.

hal resp. haldaemon extends the boot-startup-time for C6 (Centos 6) resp. "previous" mdv (2010-2012) until the KDE-login (kdm) without regarding the LUKS-passwort-login and harddisc-check by fsck (we thought of each boot) serious hard from around 20 seconds up to more than one minute ! hal resp. hald (haldaemon) might work faster by creating the file haldaemon within /etc/sysconfig with the follwoing include:

--child-timeout=15 # Begrenzung der Kindprozesse --daemon=no

In /etc/dbus-1/system.d/hal.conf forbid some up to now allowed methods and devices, eventually like LightSensor and WakeOnLan, and in another subdirectorys haldaemon referring files like *dell-computer* eventually can just be deleted (removed)..

Konfiguration der Netzwerkschnittstelle /etc/udev/rules.d/70-persistent-net.rules

# This file was automatically generated by the /lib/udev/write_net_rules
# program, run by the persistent-net-generator.rules rules file.
#
# You can modify it, as long as you keep each rule on a single
# line, and change only the value of the NAME= key.
# Drakx-net rule for eth0 (cb:ad:b3:81:1a:53)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="cb:ad:b3:81:1a:53",ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"
... only the network-devices and as much no more entries else als possible! For this purpose make a copy of file 70-persistent-net.rules in any directory and copy it into /etc/udev/rules.d/ each boot by rc.local: add "cp -fp ...", what prevents many udev based network conflicts in future!

ifcfg-eth0

/etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=no
METRIC=5
MII_NOT_SUPPORTED=yes
USERCTL=yes
DNS1=127.0.0.1
RESOLV_MODS=yes
LINK_DETECTION_DELAY=6
IPV6INIT=no
IPV6TO4INIT=no
ACCOUNTING=yes
DHCP_CLIENT=dhclient -4 -cf /etc/dhcp/dhclient.conf eth0
NEEDHOSTNAME=no
PEERDNS=no
PEERYP=no
PEERNTPD=no
TYPE=Ethernet
IPADDR=0.0.0.0
MACADDR=e1:a0:b0:cd:a1:b8 # original OR "black masked" hardware address (ethernet-card): Try /etc/rc.local. "macchanger --mac e1:a0:b0:cd:a1:b8 eth0" and set in Linfw3 "your IP" to the by this mac-address new resp. origin pregiven one (local IP) next (or past) the connection-build-up. The computer (system) might break down after all these changes, but after some newstarts, the system will gain its old´n good stability right back.

More network troubleshooting:
https://www.pcwelt.de/a/wlan-probleme-so-loesen-sie-typische-aergernisse,3389115 https://www.pcwelt.de/ratgeber/Fehlersuche-im-Netzwerk-LAN-WLAN-1953158.html

Intall the actual netprofile (rpm: omv2015, pclos, rosa2014.1) only; never choose other (elder) buggish versions!

If the interface is eth0 only, delete the following files:

rm -df /etc/netprofile/profiles/default/network/var/lib/dhcp/dhclient-eth1.leases
rm -df /etc/netprofile/profiles/default/network/var/lib/dhcp/dhclient-eth1.leases
...

Remove all other interfaces except eth0 from drbl.conf, choose eth0 only, if eth0 is the net-interface
drbl.conf
nano cd /etc/drbl/drbl.conf

There should be only one interface named eth0 be configured, even shown in MCC. If the net-adapter does not build up the connection, look out for all passages in files with eth not valued zero like eth1, eth2 and so on! Use grep -R to find such files and remove them (such passages)! Update dhclient (el6) and netprofile including all netprofile-plugins to netprofile (rosa2016.1, omv4)! If there are still problems, have a hort time to plug out the net adapter of the DSL-Modem to plug it in again for a new connection build-up with the DSL-provider. Now the net adapter should work fine and, as we hope forever!

Netz-Aliase

/etc/networks

default 0.0.0.0
loopback 127.0.0.0
link-local 169.254.0.0 # link-local 169.254.0.0 # In a computer network, a link-local address is a network address that is valid only for communications within the network segment (link) or the broadcast domain that the host is connected to. Link-local addresses are most often assigned automatically through a process known as stateless address autoconfiguration or link-local address autoconfiguration. Link-local addresses are not guaranteed to be unique beyond a single network segment. Routers therefore do not forward packets with link-local addresses.
For protocols that have only link-local addresses, such as Ethernet,[dubious - discuss] hardware addresses assigned by manufacturers in networking elements are unique, consisting of a vendor identification and a serial identifier. Link-local addresses for IPv4 are defined in the address block 169.254.0.0/16 in CIDR notation. In IPv6, they are assigned the address block fe80::/10, https://en.wikipedia.org/wiki/Link-local_address.

Preload-acceleration
The Tool Preload accelerates not the boot time, but program starts or autostarts (under "Start programs"), that are used often or regulary awaiting past each system login. This simple service protcols the program favorites and loads them into the RAM right before. The program start accelerates by this. Preload is obtainable as rpm and deb packet.


A manual configuration is not essential, but possible ("/etc/preload.conf") (start preload for example within /etc/rc.local)
https://www.pcwelt.de/ratgeber/Schneller_Linux-Start_ueber_Systemd_-_so_geht_s-Dienste_optimieren-8259105.html

rkhunter, chkrootkit, Lynis - security check
With lynis an audit can simply be made:

su
lynis audit system --quick

After the first run one gets confronted with the total result named "Hardening index". "Warnings" and "Suggestions" howto secure resp. harden the system are shown during the scrolling.
https://www.kuketz-blog.de/linux-systemhaertung-basis-linux-haerten-teil2/

Delete X Windows on server
X Windows on server is not required. There is no reason to run X Windows on your dedicated mail and Apache web server. You can disable and remove X Windows to improve server security and performance. Edit /etc/inittab and set run level to 3. Finally, remove X Windows system, enter:

# yum groupremove "X Window System"
On CentOS 7/RHEL 7 server use the following commands:
# yum group remove "GNOME Desktop"
# yum group remove "KDE Plasma Workspaces"
# yum group remove "Server with GUI"
# yum group remove "MATE Desktop"

https://www.cyberciti.biz/tips/linux-security.html

X-Server: Howto secure up: Host- and cookie-based access
he number 1 rated high risk system vulnerability noted by the recent ISS audit of BNL was the use of "xhost +" or an open X display. Using "xhost +" allows anyone the ability to watch your keystrokes, capture windows and insert command strings into your windows. This situation is particularly bad when you have root access to a machine. There is no legitimate reason to run "xhost +". Most people will be using ssh to make their connections to other machines than their desktop and ssh tunnels X11 traffic, eliminating any need for "xhost +". To use turn on X11 forwarding with ssh call it like:

ssh -X host.domain

This can be turned on by default by adding the following to DOLLARSIGNHOME/.ssh/config:

Host *.bnl.gov
ForwardX11 yes

Make sure of the following things:

You should not set your DISPLAY variable, ssh will do it for you. It will look something like:

echo DOLLARSIGNDISPLAY
localhost:12.0

X11 forwarding must be allowed by the SSH server. Check /etc/ssh/sshd_config for a line saying "X11Forwarding yes".
On Linux/UNIX machines, the "xhost +" command can be issued at many locations, so you will have to remember, where you did it or find the location to turn it off (I believe that all recent version of the Linux X server have "xhost -" as the default). If you cannot find where the "xhost +" command is issued, adding a call to "xhost -" somewhere will turn it off.

Some of the most common files where you can find the "xhost +" command are in the X11 startup files. These file are

DOLLARSIGNHOME/.Xclients
DOLLARSIGNHOME/.Xclients.gnome
DOLLARSIGNHOME/.Xclients.kde
DOLLARSIGNHOME/.xinitrc
DOLLARSIGNHOMN/.xsession
/etc/X11/xinit/xinitrc
/usr/X11R6/bin/startx
/usr/X11R6/lib/X11/xdm/Xsession

Also, doing a man xinit will give you more information on startup files which are executed when one starts up X11.

If you want to test to see whether you have fixed the "xhost +" problem on your systems, log into another unix computer, disable the ssh X11 encryption channel by resetting the DOLLARSIGNDISPLAY environment variable back to the server port 0 of your desktop, and then try starting up an xclock. For example, type the following commands

ssh youraccount@yourfavoritunixserver.phy.bnl.gov
setenv DISPLAY yourdesktop.phy.bnl.gov:0
xclock

If an xclock pops up on your screen, you still have not properly enabled X11 access control. You should contact your computer liaison for further assistance.

Xterminals
To enable access control (set xhost -) on Tektronix Xterminals bring up the "Setup" menu (F3 key). In the "Configuration Summaries" pull down menu select "X Environment". On the X Environment page toggle "Enable Access Control" to "Yes". Return to the Main Menu and then "Save Settings to NVRAM". The terminal will now reject all X connections except those coming from the machine you connect to via XDM and those coming through tunnels to you XDM host created when you ssh to another machine. If you run "xhost +" on the XDM host, then you will again disable access control, so you should make sure that you do not do this in any of the X setup files (see the UNIX discussion above).

The following is an e-mail from Ofer Rind, who tells us how to enable X11 authentication on NCD Xterminals. Thanks Ofer for you post.
-----------
- Disabling Xhost+ on an Xterminal
(NB: This was tried on both NCD and Textronix Xterminals and seemed to work; however, your mileage may vary. The description is for an NCD.) Press Alt-F3 to pull up the Xterminal control bar. Select "Change Setup Parameters" from the "Setup" menu. When the setup parameters window pops up, select "Access Control." This will expand the menu, revealing an option called "Enable Access Control." Turn this on by pressing the adjacent square. Then, at the bottom of setup window, press the "Apply" button to effect the change. This sometimes takes several seconds, be patient. When the arrow cursor returns, close the setup window and return to your previously scheduled program. X access control should now (hopefully) be enabled. NOTE that this access control can be superseded by a user who logs in on the Xterm and sets "xhost +".
Quelle: http://www.phy.bnl.gov/cybersecurity/old/xhost_plus.html

So our settings typed in terminal and /etc/rc.local after login to superuser by command "su" are (reset by "xhost +" on problems past the login):

xhost -
xhost +si:localuser:local-username
xhost +si:localuser:lokaler-Benutzername# lokaler-Benutzername: nur user, d.h. alle anderen Benutzer sind gesperrt, darunter Benutzer root, surfuser und toruser
xhost -si:localuser:root # bereits mit "xhost -"
xhost -si:localuser:toruser # bereits mit "xhost -"
xhost -si:localuser:surfuser # bereits mit "xhost -"
xhost -inet6:user@ # Das @-Zeichen muss bei inet6 (IPv6) im Unterschied zu si hinter dem Benutzernamen user stehen.
xhost -nis:user@ # nis: Secure RPC network

Output of command xhost:
access control enabled, only authorized clients can connect
SI:localuser:local-username

Do not set it for any other user, even NOT root! These simple two rules (for example in /etc/rc.local) make the system once more mouseclick-fast..

X-Server, cookie-based access: MIT-MAGIC-COOKIE-1
When using xdm (X Display Manager) to log in, you get a much better access method: MIT-MAGIC-COOKIE-1.
A 128-bit "cookie" is generated and stored in your .Xauthority file. If you need to allow a remote machine access to your display, you can use the xauth command and the information in your .Xauthority file to provide access to only that connection. See the Remote-X-Apps mini-howto, available at
http://metalab.unc.edu/LDP/HOWTO/mini/Remote-X-Apps.html.

Cookie-based access
The cookie-based authorization methods are based on choosing a magic cookie (an arbitrary piece of data) and passing it to the X display server when it is started; every client that can prove having knowledge of this cookie is then authorized connection to the server.
These cookies are created by a separate program and stored in the file .Xauthority in the user´s home directory, by default. As a result, every program run by the client on the local computer can access this file and therefore the cookie that is necessary for being authorized by the server. If the user wants to run a program from another computer on the network, the cookie has to be copied to that other computer. How the cookie is copied is a system-dependent issue: for example, on Unix-like platforms, scp can be used to copy the cookie.
The two systems using this method are MIT-MAGIC-COOKIE-1 and XDM-AUTHORIZATION-1. In the first method, the client simply sends the cookie when requested to authenticate. In the second method, a secret key is also stored in the .Xauthority file. The client creates a string by concatenating the current time, a transport-dependent identifier, and the cookie, encrypts the resulting string, and sends it to the server.
The xauth application is a utility for accessing the .Xauthority file. The environment variable XAUTHORITY can be defined to override the name and location of that cookie file.
The Inter-Client Exchange (ICE) Protocol implemented by the Inter-Client Exchange Library for direct communication between X11 clients uses the same MIT-MAGIC-COOKIE-1 authentication method, but has its own iceauth utility for accessing its own .ICEauthority file, the location of which can be overridden with the environment variable ICEAUTHORITY. ICE is used, for example, by DCOP and the X Session Management protocol (XSMP).
https://en.wikipedia.org/wiki/X_Window_authorization

Fetch the magic cookie entry relevant to your local display:
[garth@server1 ~]DOLLARSIGN echo xauth add xauth list DOLLARSIGN{DISPLAY#localhost}
xauth add server1.localdomain/unix:12 MIT-MAGIC-COOKIE-1 2928a6e16b7d6d57041dcee632764b72
Switch user to "oracle" and add the entry into your /home/oracle/.Xauthority file (by copying the ‘xauth add…´ line from above:

[garth@server1 ~]DOLLARSIGN sudo su - oracle
[oracle@server1 garth]DOLLARSIGN echo DOLLARSIGNDISPLAY
localhost:12.0
[oracle@server1 garth]DOLLARSIGN xauth add server1.localdomain/unix:12 MIT-MAGIC-COOKIE-1 2928a6e16b7d6d57041dcee632764b72
xauth: creating new authority file /home/oracle/.Xauthority

After this your X-session should work…try something like "xcalc" or "firefox" to test it first and you should be ready to go!
http://www.snapdba.com/2013/02/ssh-x-11-forwarding-and-magic-cookies/

Also use ssh to allow secure X connections. This has the advantage of also being transparent to the end user, and means that no unencrypted data flows across the network.

Also disable any remote connections to your X server by using the ´-nolisten tcp´ option to your X server. This will prevent any network connections to your server over tcp sockets.
Take a look at the Xsecurity man page for more information on X security. The safe bet is to use xdm to login to your console and then use ssh to go to remote sites on which you wish to run X programs.
http://www.tldp.org/HOWTO/Security-HOWTO/password-security.html#AEN698

kdm: /usr/share/config/kdm/kdmrc

...
AllowNullPasswd=false
AllowRootLogin=false
AllowShutdown=None
AutoReLogin=false
...
ServerArgsLocal=-deferglyphs 16 -nolisten tcp
...

X11: Graphic card adjustments, especially for opengl- and SDL-games
Adjustment influences system and graphic card.
BIOS-Setup: Northbridge -> COMBO-mode
Start driconf (hardware see data sheed)
Activate:
1) performance
+ synchronisation follows the verticale frequency rate, so that programs choose the minimal one
+ buffer object reuse: Enable reuse of all size of buffered objects
2 ) display (screen) quality
+ activate S3TC texture compression, even if unsupported by software
3) on failures
+ activate the immediate emptyting of the batch buffer each call for char
+ activate the immediate empying of the GPU-buffer
+ disable throttling on first batch after flush
+ force GLSL extension default behavior to "warn"
+ disable backslash-based line continuation in GLSL-source
+ disable dual source blending
+ perform code generation at shader link time

Deny administrative remote access
/etc/security/access.conf should be changed the way, that a remote access into an administrative account becomes impossible. By this user have to start the program su (or sudo) for administrative rights, so that there is always a track to check.
Add the following line into /etc/security/access.conf:

-:wheel:ALL EXCEPT LOCAL

Do not forget to activate pam-module each service (or the standard configuration), if you want changings within /etc/security/access.conf get noticed.
https://www.debian.org/doc/manuals/securing-debian-howto/ch4.de.html

How to Check Password Expiration of User
In Linux, user´s passwords are stored in ´/etc/shadow´ file in encrypted format. To check password expiration of user´s, you need to use ´chage´ command. It displays information of password expiration details along with last password change date. These details are used by system to decide when a user must change his/her password. To view any existing user´s aging information such as expiry date and time, use the following command.

#chage -l username
To change password aging of any user, use the following command.
#chage -M 60 username
#chage -M 60 -m 7 -W 7 userName
Parameters
-M Set maximum number of days
-m Set minimum number of days

Quelle: https://www.tecmint.com/linux-server-hardening-security-tips/

Checking Accounts for Empty Passwords
Any account having an empty password means its opened for unauthorized access to anyone on the web and it´s a part of security within a Linux server. So, you must make sure all accounts have strong passwords and no one has any authorized access. Empty password accounts are security risks and that can be easily hackable. To check if there were any accounts with empty password, use the following command.

cat /etc/shadow | awk -F: ´(DOLLARSIGN2==""){print DOLLARSIGN1}´

https://www.tecmint.com/linux-server-hardening-security-tips/

Keep a (daily) watch onlog-files (for example with logwatch) as much as the last logins in /var/log/lastlog
With the help of the command lastlog the content from /var/log/lastlog can be transferred into a readable format.
https://www.stefanux.de/wiki/doku.php/linux/hardening

Services should not run as root-processes
deactivate services not needed (smalling the place for attacks): check out opened ports
netstat -lnptu
Internetsuperserver
veralteter inetd noch nötig?
xinetd sicher konfigurieren
(gefährdete) Dienste absichern:
nur auf einer bestimmten IP lauschen, auf andere Ports wechseln
evtl. Port-knocking einsetzen (Beispiel SSH)
Bind mit chroot
sicheren FTP-Server einsetzen: vsftp oder pure-ftpd
unsichere Dienste nicht für kritische Aufgaben (Login) zulassen:
FTP
Telnet
veraltete r-Dienste (rsh, rlogin, …)
nur notwendige Benutzerkonten einrichten
regelmäßig die Passwörter der Benutzer auf unsichere Passwörter überprüfen
leere Passwörter nicht erlauben
Kernel absichern
eigenen (minimalen) Kernel bauen
Integritätschecker, z.B. tripwire als cronjob laufen lassen. Die Signaturen sollten auf einem sicheren Drittsystem gelagert werden bzw. read-only gemountet sein (z. B. auf einer CD oder Diskette mit Schreibschutz)
Die Benutzung von Shadow ist meist schon aktiviert (shadowconfig on) Protokolle (Logfiles) sichern:
Loghost einrichten oder
Logfiles absichern: Mit Secure Logging von Core-Wisdom können Sie Logfiles auch in mySQL-Datenbanken ablegen oder per Fingerabdruck gegen Veränderung sichern.
msyslogd oder
logrotate → Log per mail
regelmäßig nach suid-Programme suchen:
automatisch mit Programmen:
sxid schickt eine tägliche Report über dazugekommene suid/sgid per mail zu
manuell:
root-suids:
find / -perm -4000 2>/dev/null
allgemein suids:
find / -perm +6000
sgid-programme:
find / -perm -2000 2>/dev/null
volle Ausgabe mit allen Rechten bekommt man mit:
ls -lad --full-time ´find / -perm +6000´
Banner (Versionsnummern etc.) von Diensten abschalten
in /etc/motd die Kernelversion nicht anzeigen lassen, stattdessen Warnungen für Angreifer
SSH: Im Sourcecode
Webserver:
Logfiles studieren
Monitoring betreiben
Source: https://www.stefanux.de/wiki/doku.php/linux/hardening

SVGA
SVGAlib programs are typically SUID-root in order to access all your Linux machine´s video hardware. This makes them very dangerous. If they crash, you typically need to reboot your machine to get a usable console back. Make sure any SVGA programs you are running are authentic and can at least be somewhat trusted. Even better, don´t run them at all.
Quelle: http://www.tldp.org/HOWTO/Security-HOWTO/password-security.html#AEN698

GGI (Generic Graphics Interface project)
The Linux GGI project is trying to solve several of the problems with video interfaces on Linux. GGI will move a small piece of the video code into the Linux kernel, and then control access to the video system. This means GGI will be able to restore your console at any time to a known good state. They will also allow a secure attention key, so you can be sure that there is no Trojan horse login program running on your console.
http://synergy.caltech.edu/~ggi/
Source: http://www.tldp.org/HOWTO/Security-HOWTO/password-security.html#AEN698

Disable USB stick to detect (recommended for companies etc.)
Many times it happens that we want to restrict users from using USB stick in systems to protect and secure data from stealing. Create a file ´/etc/modprobe.d/no-usb´ and adding below line will not detect USB storage.

install usb-storage /bin/true

https://www.tecmint.com/linux-server-hardening-security-tips/

Disbale USB/firewire/thunderbolt-devices
echo ";install usb-storage /bin/true" >> /etc/modprobe.d/disable-usb-storage.conf
echo "blacklist firewire-core" >> /etc/modprobe.d/firewire.conf
echo ";blacklist thunderbolt" >> /etc/modprobe.d/thunderbolt.conf

Once done, users can not quickly copy sensitive data to USB devices or install malware/viruses or backdoor on your Linux based system.
https://www.cyberciti.biz/tips/linux-security.html

System-Banner
Formulate any "welcome"-text after the login into the server on the system in /usr/lib/issue.net to make unwanted users really think, if to proceed or if it would be better to log out or get away..

How to Spoof a MAC Address (identifying hardware address of the ethernet card) permanently [...] A 48-bit MAC address (e.g., 08:4f:b5:05:56:a0) is a globally unique identifier associated with a physical network interface, which is assigned by a manufacturer of the corresponding network interface card. Higher 24 bits in a MAC address (also known as OUI or "Organizationally Unique Identifier") uniquely identify the organization which has issued the MAC address, so that there is no conflict among all existing MAC addresses.
While a MAC address is a manufacturer-assigned hardware address, it can actually be modified by a user. This practice is often called "MAC address spoofing." In this tutorial, I am going to show how to spoof the MAC address of a network interface on Linux.
Why Spoof a MAC Address?
There could be several technical reasons you may want to change a MAC address. Some ISPs authenticate a subscriber´s Internet connection via the MAC address of their home router. Suppose your router is just broken in such a scenario. While your ISP re-establishes your Internet access with a new router, you could temporarily restore the Internet access by changing the MAC address of your computer to that of the broken router.
Many DHCP servers lease IP addresses based on MAC addresses. Suppose for any reason you need to get a different IP address via DHCP than the current one you have. Then you could spoof your MAC address to get a new IP address via DHCP, instead of waiting for the current DHCP lease to expire who knows when.
Technical reasons aside, there are also legitimate privacy and security reasons why you wish to hide your real MAC address. Unlike your layer-3 IP address which can change depending on the networks you are connected to, your MAC address can uniquely identify you wherever you go. Call me a paranoid, but you know what this means to your privacy. There is also an exploit known as piggybacking, where a hacker snoops on your MAC address on a public WiFi network, and attempts to impersonate you using your MAC address while you are away.
[...] If you want to spoof your MAC address permanently across reboots, you can specify the spoofed MAC address in interface configuration files. For example, if you want to change the MAC address of eth0, do the following.


macchanger: Some things have to be done: "macchanger -r eth0" suggests a random MAC-address to add into /etc/rc.local (by "macchanger --mac new-MAC-address eth0"), same in /etc/sysconfig/network-scripts/ifcfg-eth0 and change the by this new obtained, local IP in LINFW3 (Dialog -> NONYESNO -> own IP), eventually restart the system.
On Fedora, CentOS or RHEL:

nano /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
MACADDR=00:00:00:00:00:01

Alternatively, you can create a custom startup script in /etc/NetworkManager/dispatcher.d as follows, especially if you are using Network Manager. I assume that you already installed macchanger.

nano /etc/NetworkManager/dispatcher.d/000-changemac

#!/bin/bash

case "DOLLARSIGN2" in
up)
macchanger --mac=00:00:00:00:00:01 "DOLLARSIGN1"
;;
esac

... or macchanger -r "DOLLARSIGN1" Quelle: https://xmodulo.com/spoof-mac-address-network-interface-linux.html
This might depend on the hardware. "macchanger -r eth0" can be started at the end of a dialin-script like /usr/sbin/ifup or ifup-eth too for example. The same is possible by ifconfig.

If all this does not function, try same or similar command manually by terminal after the dialin.

Find out the actual set MAC- resp. MAC-Fake-Adresse by

macchanger -s eth0 or

ifconfig

Adjustments within /etc/sysctl/network-scripts/ifcfg-eth0

DEVICE=eth0
# MACADRESS=....
BOOTPROTO=dhcp
ONBOOT=no # automized dialin each boot
METRIC=5
MII_NOT_SUPPORTED=yes
USERCTL=yes # user are allowed to configure the dialin and to dial in itself
DNS1=127.0.0.1
DNS2=203.13.81.14
RESOLV_MODS=yes
LINK_DETECTION_DELAY=6
IPV6INIT=no # perfer IPv4 with dynamic (changing) IP
IPV6TO4INIT=no
ACCOUNTING=no
DHCP_CLIENT=dhclient
NEEDHOSTNAME=no
PEERDNS=no
PEERYP=no
PEERNTPD=no

Resolver configuration file
File /etc/host.conf contains special information, how to configure the resolver library with a configuration keyword each line, followed by belonging configuration information.
/etc/host.conf


order hosts,bind
multi on
reorder on
nospoof on
spoofalert on

Quelle: man host.conf

NetworkManager-Configuration by /etc/NetworkManager/NetworkManager.conf:

[main]
dns=none
plugins=keyfile
dhcp=dhclient
rc-manager=unmanaged

[ifupdown]
managed=false

[logging]
level=error
domains=none

More (secure) configurations of he NetworkManager by NetworkManager.conf see https://developer.gnome.org/NetworkManager/1.11/NetworkManager.conf.html

Deactivate NIS
... in order to avoid password-sharing. For this, LDAP is recommended.

Sicheres finger
Es gibt viele finger-Daemon, als besonders sicher gilt ffingerd. Hier kann die Anzahl der zur selben Zeit laufenden Prozesse und die Anzahl der darauf zugreifenden Hosts limitiert und das verfügbare Interface eingegrenzt werden.

Sichere Nutzung von PCs unter Ubuntu (und andere, Anm., Gooken)- für kleine Unternehmen und Selbstständige v2.0 (PDF, 189KB, Datei ist barrierefrei⁄barrierearm), BSI, 01.08.2018
https://www.allianz-fuer-cybersicherheit.de/ACS/DE/_/downloads/BSI-CS_009.html

Guidance
EUD Security Guidance: Ubuntu 18.04 LTS
Created: 24 Jul 2018
Updated: 24 Jul 2018
https://www.ncsc.gov.uk/guidance/eud-security-guidance-ubuntu-1804-lts

paxctld von grsecurity.net (Aufruf paxctld in /etc/rc.local mit "paxctld -c /etc/paxctld.conf -d -p /var/run/paxctld"
https://wiki.gentoo.org/wiki/Project:Hardened/PaX_Quickstart
/etc/paxctld.conf (allowed is s,r,p,m and E)
e,E - https://pax.grsecurity.net/docs/emutramp.txt
m,M - http://pax.grsecurity.net/docs/mprotect.txt
p,P - http://pax.grsecurity.net/docs/pageexec.txt
r,R - http://pax.grsecurity.net/docs/randmmap.txt
s,S - http://pax.grsecurity.net/docs/segmexec.txt
https://en.wikibooks.org/wiki/Grsecurity/Additional_Utilities

#gdb
# /usr/bin/gdb srpm

# steam
# /usr/lib32/ld-linux.so.2 m
# /usr/lib64/ld-linux.so.2 m

# node
# /usr/bin/node m
# /usr/bin/perf m

# firefox
# /usr/lib64/firefox/firefox m
# /usr/lib64/palemoon/palemoon m

# tor-browser
# /home/toruser/tor*/Browser/firefox m

# /usr/lib64/thunderbird/thunderbird m

# oxide
/usr/lib/x86_64-linux-gnu/oxide-qt/oxide-renderer m

# valgrind
/usr/bin/valgrind m

# python
/usr/bin/python E
/usr/bin/python2.6 E
/usr/bin/python2.7 E
/usr/bin/python3.2mu E

# java
# /usr/lib/jvm/java-6-sun-1.6.0.10/jre/bin/java m
# /usr/lib/jvm/java-6-sun-1.6.0.10/jre/bin/javaws m
# /usr/lib/jvm/java-6-openjdk/jre/bin/java m
# /usr/lib/jvm/java-6-openjdk/jre/bin/java m
# /usr/lib/jvm/java-8-openjdk/jre/bin/java m
# /usr/lib/jvm/oracle-jdk-bin-1.8/bin/java m
# /usr/lib/jvm/oracle-jdk-bin-1.8/jre/bin/java m
# /usr/lib/jvm/zulu-8-amd64/bin/java m

# openrc /lib/rc/bin/lsb2rcconf E

# tuned
# /usr/sbin/tuned m

# libreoffice
# Ubuntu doesn´t seem to carry this patch:
# https://bz.apache.org/ooo/show_bug.cgi?id=80816
# libreoffice will still run fine without the below line,
# but it will report an RWX mprotect attempt
# /usr/lib/libreoffice/program/soffice.bin m

Lock virtual consoles except tty7 by default
/etc/inittab, comment in:
...
# Run gettys in standard runlevels
#1:2345:respawn:/sbin/mingetty tty1
#2:2345:respawn:/sbin/mingetty tty2
#3:2345:respawn:/sbin/mingetty tty3
#4:2345:respawn:/sbin/mingetty tty4
#5:2345:respawn:/sbin/mingetty tty5
#6:2345:respawn:/sbin/mingetty tty6
...

Start as few root-processes as possible!

Remaining essential root-processes except those started by kernel (kthreadd):


init
X # xhost-access-control or run in usermode, see https://wiki.gentoo.org/wiki/Non_root_Xorg, and X with option "--nolisten tcp" (by default, check it out by pressing keys ESC + STRL and moving mouse over process X; configuration for X: /etc/X11/xorg.conf section "ServerLayout")
hald # makes acpid superfluosly
console-kit-daemon # needed only for the login, timeout possible
wpa-supplicant # part of NetworkManager
psad # or iptables: psd, port-scan-detection; start only with securing options like --no-rdns, --no-whois and --no-snort-sids

udevd # devices and interfaces
kdm
syslogd
klogd
gpm
cupsd
dhclient # or dhcpd etc.
pam_timestamp_c
master
spamd # alternatively try bogofilter for example always running in usermode

Lost or forgotten password, no access onto the system?
The steps you need to take in order to recover from this depend on whether or not you have applied the suggested procedure for limiting access to lilo and your system´s BIOS.
If you have limited both, you need to disable the BIOS setting that only allows booting from the hard disk before proceeding. If you have also forgotten your BIOS password, you will have to reset your BIOS by opening the system and manually removing the BIOS battery.
Once you have enabled booting from a CD-ROM or diskette enable, try the following:

Boot-up from a rescue disk and start the kernel

Go to the virtual console (Alt+F2)

Mount the hard disk where your /root is

Edit (Debian 2.2 rescue disk comes with the editor ae, and Debian 3.0 comes with nano-tiny which is similar to vi) /etc/shadow and change the line:

root:asdfjl290341274075:XXXX:X:XXXX:X::: (X=any number)

to:

root::XXXX:X:XXXX:X:::

This will remove the forgotten root password, contained in the first colon separated field after the user name. Save the file, reboot the system and login with root using an empty password. Remember to reset the password. This will work unless you have configured the system more tightly, i.e. if you have not allowed users to have null passwords or not allowed root to login from the console.
https://www.debian.org/doc/manuals/securing-debian-howto/ch12.de.html

Checking file system integrity
Are you sure /bin/login on your hard drive is still the binary you installed there some months ago? What if it is a hacked version, which stores the entered password in a hidden file or mails it in clear-text version all over the Internet?
The only method to have some kind of protection is to check your files every hour/day/month (I prefer daily) by comparing the actual and the old md5sum of this file. Two files cannot have the same md5sum (the MD5 digest is 128 bits, so the chance that two different files will have the same md5sum is roughly one in 3.4e3803), so you´re on the safe site here, unless someone has also hacked the algorithm that creates md5sums on that machine. This is, well, extremely difficult and very unlikely. You really should consider this auditing of your binaries as very important, since it is an easy way to recognize changes at your binaries.
Common tools used for this are sxid, aide (Advanced Intrusion Detection Environment), tripwire, integrit and samhain. Installing debsums will also help you to check the file system integrity, by comparing the md5sums of every file against the md5sums used in the Debian package archive. But beware: those files can easily be changed by an attacker and not all packages provide md5sums listings for the binaries they provided. For more information please read Do periodic integrity checks, Section 10.2 and Taking a snapshot of the system, Section 4.19.
You might want to use locate to index the whole filesystem, if so, consider the implications of that. The Debian findutils package contains locate which runs as user nobody, and so it only indexes files which are visible to everybody. However, if you change its behaviour you will make all file locations visible to all users. If you want to index all the filesystem (not the bits that the user nobody can see) you can replace locate with the package slocate. slocate is labeled as a security enhanced version of GNU locate, but it actually provides additional file-locating functionality. When using slocate, the user only sees the actually accessible files and you can exclude any files or directories on the system. The slocate package runs its update process with higher privledges than locate, and indexes every file. Users are then able to quickly search for every file which they are able to see. slocate doesn´t let them see new files; it filters the output based on your UID.
You might want to use bsign or elfsign. elfsign provides an utility to add a digital signature to an ELF binary and a second utility to verify that signature. The current implementation uses PKI to sign the checksum of the binary. The benefits of doing this are that it enables one to determine if a binary has been modified and who created it. bsign uses GPG, elfsign uses PKI (X.509) certificates (OpenSSL).
https://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html

Solution: encryption of the root-partition, see Full System Encryption (FSE)

Lifetime hardware, conductor pathes: secured contacts on graphic cards, boards and platines
Sounds like it is our last advice (but of course it isn´t), not to forget to put some chalk into the computer tower inside. The trick is to keep contacts on mainboard including graphic-chip resp. graphic card and other electronic devices always rust-proof and save from moisture!

Remove online accounts of internet service provider
Phishing, profiling, spam, data handling, investigations by law, organized criminality, secret agencies, ad networks, large server farms, artificial intelligence, social bots, hacks, doxxing, honeypots, man-in-the-middle-attacks, ...: Before starting with the installation of "Universal Linux 2010" resp. before going to update programs and system, try to remove as much online-accounts as possible, that means as making sense for you: social media, Google, paypal, online banking, online shopping, ... This might become quit difficult: So read out belonging manuals and follow the instructions. For still existing accounts security settings should be made serious hard after the logins into the online portals.

Allround-protection through iptables-firewall Linfw3
Linfw3 can be downloaded during further below. With Linfw3 all hacker and all trojans can be blocked, if only the user like surfuser within a group like surfgroup are allowed the password protected start of processes going online into the net. Even superuser root resp. uid 0 belongs to all the user, who are not allowed going online, only processes started by (surfuser) of group (surfgroup). By this, programs can go online in a very easy way, after belonging ports once got opened in Linfw3. This is the main advantage. The next advantage: All passwords except the ones for the LUKS-encrypted root partition get irrelevant - even if others know them! The access rights for files should be set local for each user only onto <=700 ( what can be done automatically per "umask 077" within /etc/fstab, manually by chmod or graphically through the context menu). The last risk remains in the Chrooting, settings by msec like "Forbid root-access", "Forbid extern access for root/forbid chrooting" and/or Sandbox firejail prevent by locking the consoles of the user accounts (including root (uid 0, gid 0), but except surfuser). Even the shell-login of all system- and user-accounts except surfuser can be restricted to /sbin/nologin too - no login possible. This can be done with msec_gui or by a special UNIX/Linux-(bash-)command). ACL-access-control (request by getfacl, settings by setfacl) can restrict processes owned (started) by surfuser access on all kind of (exectuable) files too. Scripts over once opened (established) net-connections can be blocked by Firefox-Extensions ABP, noscript and RequestPolicyBlockedContinued resp. Firefox >= 64 with mechanisms against Cross-Site-Tracking/-Scripting and all other kind of tracking. Beneath this, the Port-Scan-Detektor psad or psd of iptables activated by Linfw3 does its best too! And do not forget FSE (Full System Encryption by LUKS/dm-crypt) thinking of the command mount and therefore also cryptsetup (LUKS) including such chroot... All in all the remaining risk is given only by the started root-processes from kernel from the house Linus Tovalds, although they get blocked by Linfw3 too as long as owned by root by the way already depicted. Especially one root-process envokes some distrust - X (the X-Server, including the graphic card driver), but X can be restricted by own ACl through the command xhost as described in some points from above. There it is described, howto start X with option "-nolisten tcp" and that X can also be started in normal usermode. To get total paranoid, MAC (control resp. restriction of process interaction) might interest too - but that really mustn´t.
This excurs specifies Linfw3, firejail, ACL-Access Control Lists, MAC, Intrusion Detection Systems (IDS, if needed), important Firefox-Extensions upon opened connections and further methods later on, past the section for updating.

Regardless from all Linux-distributions, one and the same Linux gets installed package by package, although this might not possible for each distribution as a fault of their specific architectures (library-structure and so on).

We would prefer the most complete Linux by electing certain distributions getting mixed to call it slackware either by installing a brandnew distribution to mix it up after getting updated or by the backport concept we are going to describe here.
Linux resp. (backported) "Universal-Linux" can origin in mdv2010.1 for example. It is updated long-termed and consequently with Fedora Project (fc), especially CentOS 6 (el6) and CentOS 7 (el7) resp. Scientific Linux (sl6/el6, sl7/el7) and fc -> EPEL (el6, el7) and other el6/sl6 and el7/sl7, where each source package is listed directly under the binary one on pkgs.org. It finally managed to stop leaving rubbish over rubbish of packages from all the outworn over outworn distribution behind. The speciality for the backport-concept is, that almost one and the same version with its own releases get patched over patched in many cases for the same version by new releases, what is marked in the rpm-package name behind the point at the end of the package name, until the intern code does its work stable and secure. So one and the same package-version of the same release got fixed resp. picked out and overworked and overworked until security and functionality (as amost the best sign for security) are given, leading to new releases to one and the same versions. Nevertheless the version might differ resp. change in some, quit seldom cases too.

Secure Programming HOWTO, David A. Wheeler, 2015-09-19
This book provides a set of design and implementation guidelines for writing secure programs. Such programs include application programs used as viewers of remote data, web applications (including CGI scripts), network servers, and setuid/setgid programs. Specific guidelines for C, C++, Java, Perl, PHP, Python, Tcl, and Ada95 are included. It especially covers Linux and Unix based systems, but much of its material applies to any system. For a current version of the book, see http://www.dwheeler.com/secure-programs
https://dwheeler.com/secure-programs/Secure-Programs-HOWTO/index.html

SuSE:
Suse Doc: Deployment Guide - Backporting Source Code
SUSE uses backports extensively. The information in this section helps you understand, why it can be deceptive to compare version numbers in order to judge ...
www.suse.com/documentation/sled11/book_sle_deployment/data/sec_update_backports.html

Debian:
Debian richtet neues Backports-Repositorium ein - Pro-Linux
Mit dem neuen Repositorium "lenny-backports-sloppy" stehen Debian-Anwendern künftig aktualisierte Programme ohne große Risiken und Mühen zur Verfügung. www.pro-linux.de/news/1/16241/debian-richtet-neues-backports-repositorium-ein.html

This backporting is provided for CentOS for more than 10 years (CentOS 6: from year 2010 until year 2026), accompanied by CentOS 7 (until 2027).
Installed Linux can be completed to talk about this one and only Linux by installing packages from many other distributions too.
You can read more about CentOS and this fact in our section for Updates.
Alternatively you can order this complete mdv2010 already in an FSE-encrypted form (full system encryption by dracut and LUKS) preinstalled on SSD, where all updates past the update expiration time of mdv2010 including those from CentOS el7 and el6 are already installed. Now, just unpack the tarball of an actual Firefox (actual or actual ESR, extended security release from CentOS or Rosalabs) and Thunderbird (actual ESR (el6, el7)) into a directory like /usr/lib64/firefox-any-name and /usr/lib64/thunderbird-any-name and link the executable files /usr/bin/firefox by the command "ln -sf /usr/lib64/firefox-any-name/firefox-bin /usr/bin/firefox" to update firefox in future following the firefox-INFO-menu. We are going to describe the update of Firefox (and Konqueror) explicitly further below. At last you care for a more or less actual GNU C standard library (glibc(pclos)), for this purpose we tested mga6, ver. 2.22-29 form 17. June 2018. Of course all already installed glibc-packages can be upgraded to mga6 (2.22-29) or higher) or main glibc-package (mga6) with all other glibc-packages coming from el6.

We decided us for kernel 4.20.13 (pclos) with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (el6: Version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: Version 008)) on the base of the GNU C Standard Library glibc-2.26 (pclos), glibc-2.22 (mga6) out of:

glibc (pclos, mga6), libc6 (rosa2016.1, rosa2014.1), compat-glibc (el6), glib2.0-common (pclos, el6), glibc-i18ndata (pclos, mga6), glibc-headers (pclos, el6), glibc-static (el6), glibc-utils (pclos, mga6), glibc-profile (pclos, mga6), glibc-glibc_lsb (rosa2016.1, rosa2014.1), locales (pclos, mga6), glib2 (el6), prelink (mga6, mga7, mga5, pclos, rosa2016.1, rosa2014.1), lib64stdc++ (pclos, mga6) or (and this is our tested-well choice:) glibc complete mga6 or: glibc (pclos, mga6 main glibc, rest-rpm: el6), libstdc++ (mga6), libsigc++ (mga6)

additionally, but be careful, miroplayer (el6) and the MCC-printer-administration might not work anymore: lib64glib2 (rosa2014.1), lib64gio2 (rosa2014.1), lib64gobjet2 (rosa2014.1), lib64gmodule2 (rosa2014.1). If they do not, reinstall glib2 (el6) and glib2.0-common (el6).

You can get all such glibc-packages from pkgs.org and rpmfind.net without any problems, but the new filesystem of glibc for mga3 since version 2.17 consists of new linked directories in directory root named /bin, /sbin, /lib and /lib64, so that all of their files have to be copied into equal named directories of /usr: /usr/bin, /usr/sbin, /usr/lib and /usr/lib64. This can cause programs like terminal "konsole" not working anymore, so that the cursor remains in the upper left corner of the started terminal, to think about other terminals like the recommended xterm and the very secure rated but no unicode supporting aterm and the next step to do like installing package (rpm) shadow-utils. Konsole is still functioning only, after devpts is mounted in the device-configuration-file /etc/fstab. This can be done by the following entry:

none /dev/pts devpts mode=620,gid=5

with gid for tty and in the user-administration of MCC set user to a member of group tty,wheel,lp. Now it is possible to install many packages from more actual distributions like not only mdv2011 and mdv2012, but also Mageia Cauldron 1 up to 4 and especially Fedora Project resp. CentOS 6.8 el6 (release: 2010, modificiaton release date (rpm) CentOS- resp. SL-release: 03.08.2015) and el7 (in the last two cases with update-guarantees until year 2026).Now software-packages are provided by rpmfind.net and pkgs.org for CentOS (resp. el6, el7, Scientificlinux (sl6, el6), ALT Linux, Repoforge (el6.rf), CERT Forensics Tools, PUIAS Computational, KBS Extras Testing, P.N., Nux Dextop (el6.nux), Rpmforge (el6.rf), Epel (el6), Atomix, Russian Fedora (el6.ru), NauLinux School (el6.nau), Nau Linux Extras, LinuxTECH und Ghettoforge (el6.gf)), Mandriva mdv2010, mdv2011, mdv2012, Mageia5 down to Mageia 1, Rosa2014.1, Rosa2012.1, newest Fedora, OpenSuSE and Tarballs and programs for any other OS to emulate from everywhere. With el6 and el6 you can follow the Gentoo-GLSA (https://security.gentoo.org/glsa/ ) update security list. We list each package in our section for updates. This all can also be made for other distributions, annoying, if not. Folllowing our steps, this OpenSource-System full of device-driver can be made incomparible secure, while the iptables-firewall Linfw3 bewares the central meaning. For more details, please follow the details from our excurs as follows, especially in the section for updates. For this please notice, that one should not be forgotten: to make 1:1-backups during the installation process on at least one extern storage media, especially by command dd.

report from 21.10.2004, last update: 06.23.2017. If you can not see a menu on the left side, please click here.